== Clearing files in database ==

This is to be done if you want to clean an old database or clean a training database so that a client can enter fresh data.

These commands DO NOT reset the data to "factory settings" so for new installations you need to download a fresh BACKUP.ZIP file from the NEOSYS website.

*Clear transactions F5 - CLEAROP (only clears transactions not reference files)

*Clear all F5 - CLEARALL (rather nasty command because it clears all reference files as well)

*Clear finance transactions F5 - CLEARACC

== Clearing selected files in database ==

This can be done if you want to reimport selected files. The flush index command MUST be performed after doing any clearing.

WARNING This procedure must not be used if there are any transaction in the system that might use the files being cleared.

WARNING Clearing individual files is error prone because other files might refer to the records you are clearing (referential integrity is not applied so dangling references may be created). For example, clearing suppliers without clearing vehicles in advance results in vehicles which have supplier codes that do not exist. Even if you reimport the suppliers, some supplier codes in the vehicles file may not be reimported leaving vehicles with problems.

WARNING The opportunity to create problems that have no solution and that may only surface when the system is in operation is endless unless you think through the implications very very very carefully.

*Flush Index F5 FLUSH.INDEX (this command MUST be performed immediately after any data clearing)

*Clear suppliers F5 CLEARFILE SUPPLIERS

*Clear vehicles F5 CLEARFILE VEHICLES

*Clear Payment Instruction F5 CLEARFIELD CLIENTS PAYMENT_INSTRUCTIONS (only clears the payment instruction from the client and brand file)

== Mass updating database without data entry ==

Warning: It is advisable that you take the approval of NEOSYS DBA or programmers before doing any of the following procedures. There is no protection whatsoever from damaging the database if you do not appreciate all the implications of any particular update. Common sense and caution must be used. If you damage a database then it may be, or with operation become, irretrievably damaged and require reconstruction from a backup causing possibly extreme finance damages to the owner of the data and consequences for yourself. You have been warned.

There are many commands in maintenance mode that allow you to amend the database directly and without any record and without any ability to reverse changes.

Normally, no record of the changes is made. All changes will appear to have been done by the last user at the time and date of the last normal user interface amendments.

=== Available fields to clear or set ===

#Client & Brand File: CLIENTS MARKET_CODE
#Client & Brand File: BRANDS MARKET_CODE

=== How to clear a database field ===

Assuming that a particular database field may be blank (i.e. not required for data entry) then you may clear a field as follows.

Warning: There is nothing to stop you clearing a field that is mandatory and doing this may cause irrecoverable damage to the database.

In the following example we wish to change all clients with market code “UAE to have market code blank.

First, if you don’t want to clear all records, “select” the required records.

SELECT CLIENTS WITH MARKET_CODE “UAE”

After a period of time, depending on the number of records in the file, it should briefly state the number of records selected and then return to the command prompt.

WARNING: If no records have been selected then ALL records will be updated by the following command!

CLEARFIELD CLIENTS MARKET_CODE

=== How to set a database field ===

In the following example we change all the clients where the market code is blank (has not been entered) to become “UAE”.

Warning: You can set the market code to a market code that does not exist. This will cause various problems in the operation of the system but is probably not irrecoverable.

First, if you don’t want to set all records, “select” the required records.

SELECT CLIENTS WITH MARKET_CODE “”

After a period of time, depending on the number of records in the file, it should briefly state the number of records selected and then return to the command prompt.

WARNING: If no records have been selected then ALL records will be updated by the following command!

CLEARFIELD CLIENTS MARKET_CODE/UAE

== Backup to other media (i.e. not to USB)==

[[Backup and Restore#Backup to other media (i.e. not to USB)|Backup to other media]]

== Configure Backup of Uploads on NEOSYS hosted Server to a Client specific Sub Directory ==

Install the following patch and the system will backup to its own client specific sub directory under images folder. Go to the maintenance mode of each Client and type the following command :

INSTALL FILEMAN X:\(O)

where '''X:\''' is the drive configured for Backup of Uploads in the System Configuration File. See [http://userwiki.neosys.com/index.php/System_Configuration_File#Uploads Configure Backup of Uploads]

== Copying a single record from one database to another ==

You need to know the file name and record key of the record to be copied.

In this case the file is DEFINITIONS and the key is AGENCY.PARAMS

You can invent any old style 8.3 filename instead of C:\AGP.DAT in the following example

On the source computer:

F5
COPY DEFINITIONS AGENCY.PARAMS TO: (DOS C:\AGP.DAT)

On the target computer:

F5
COPY DOS C:\AGP.DAT (ON) TO: (DEFINITIONS AGENCY.PARAMS)

The (O) option is required to force overwrite of the existing

The (N) option means only copy if the target already exists. It is advisable to use it when you know that the target already exists to avoid misspellings in the command. It must be omitted if the target doesnt exist.

== Allowing users temporary login as NEOSYS in maintenance mode ==

#Get them to login with any name even NEOSYS
#Get them to enter "?" for the pass without the quotes
#NEOSYS will give them a lock like "NEOSYS 123456" which they must give you. You should not log out until the next step is completed
#Follow the NEOSYS lock/key procedure using the full contents of the lock including the user name
(to allow access EXCEPT access to authorisation screen use a special number (not documented here) as the last number of the initial command)
#Give them the key and get them to enter and proceed

== Configuring upload of photoshop "cs2" jpg files ==

Photoshop version "cs2" produces jpg files that cannot be viewed in Internet Explorer.

A solution is to rename the files extension from .jpg to .psjpg before uploading.

"psjpg" files are an invention of NEOSYS and IIS must be configured to handle .psjpg files as follows:

Windows Server 2003 (doesnt work on XP)

#Computer Management, Internet Information Server, Properties
#Click MIME Types
#Click New
#Extension: psjpg
#MIME Type: application/photoshop
#Click OK,OK,OK
#Restart IIS (Right click, All Tasks, Restart)

== System Configuration File ==
=== Scope ===

*All Installations
*Current Installation (default)
*Current Database

You can configure most items at the above “scopes”. Any item configured on higher/broader scope has priority over the same item on a lower/narrower scope.

Assigning higher priority to higher/broader scopes allows us to override any and all individual installations/databases configurations with a particular configuration of our choosing. However it does not allow us to set a default configuration for all installations/databases and then separately configure each one where desired. That would require NEOSYS to assign priority to lower/narrower scopes – which it doesn’t do.

Configuring IIS

2014-11-06T09:01:57Z

Nikhil:

After you have installed all the NEOSYS program files you need to configure IIS so that you can operate NEOSYS. Instructions are below.

== Configuring IIS for windows 2003 ==

=== Creating a virtual web directory ===

'''Client Server:''' first step is to create a virtual directory called neosys linked to D:\neosys\neosys.net:

'''NL1 Server:''' Create a website called "clientname" linked to D:\hosts\clientfolder\neosys.net

[[image:figure1.jpg]]

[[image:figure3.jpg]]

A new window will pop up "IP Address and Port Setting" after completion of the above step.

'''Client Server:''' select *(All Unassigned)* from the drop down list of "Enter the IP address to use for the Web site" and keep the default port as 80.

'''NL1 Server:''' Select the static Ip from the drop down list of "Enter the IP address to use for the Web site" and enter then next port available and click on next.

[[image:Figure_2.jpg‎]]

'''Client Server:''' Within the above neosys web site folder create a virtual directory called data linked to D:\neosys\data:

'''Nl1 Server:''' Within the above clientwebsite folder create a virtual directory called data linked to D:\hosts\clientfolder\data:

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

=== To allow file uploads ===

==== Create IMAGES directory ====

'''Client server:''' create a folder IMAGES under D:\neosys and within the neosys web site folder create a virtual directory called images linked to D:\neosys\images: Modes: READ and WRITE

'''Nl1 Server:''' create a folder IMAGES under D:\hosts\clientfolder and within the client web site folder create a virtual directory called images linked to D:\hosts\clientfolder\images: Modes: READ and WRITE

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

==== Permit upload.dll ====

# Right click Default Web Site, neosys, NEOSYS, dll
# Execute Permissions: Scripts and Executables

# Internet Information Services (IIS) Manager
# Web Service Extensions
# All Unknown ISAPI Extensions: Allowed

=== Solving error during file upload: "Page cannot be displayed" HTTP Error 405 ===

This error should not occur in normal NEOSYS installations but the solution is as follows:

# Go to Control Panel, Administrative Tools, Internet Information Services
# Expand the tree to COMPUTERNAME, Web Sites
# Right-click "Default Web Site" (or specific Web Site if multiple NEOSYS http/https installations on the server as per NL1)
# Properties
# Home Directory
# Configuration
# Mappings, Add
# Browse
# Dynamic Link Libraries *.dll" from the "Files of Type" dropdown
# Find and select D:\NEOSYS\neosys.net\NEOSYS\dll\upload.dll (OR upload.dll in the installation directory)
# Extension Type: dll
# Limit to: All
# Click the "OK" button

=== Solving HTTP Error 404 Error occurring immediately on opening NEOSYS login page on a new server installation: "System Failure. Do you want to retry?" ===

This error message is caused by failing to enable Active Server Pages in the IIS configuration.

This message is from IE8 and a Windows 2003 server. The message may be different for other browser versions.

<pre>
Message from web page.

System Failure. Do you want to retry?

The page cannot be found
The page you are looking for might have been removed, had its name change, or it temporarily unavailable.

Please try the following:
(omitted)
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
</pre>

[[image:http404.jpg]]

=== Solving HTTP 404 Webpage cannot be found ===

This error message clearly states that the page cannot be found. Check for the requested page in the client website folder under the virtual directory data. This page will be available under the data folder in D:\neosys\data. A possible cause of this error is by failing to create a virtual directory called data linked to D:\neosys\data:

[[image:http404p.jpg]]

== Configuring IIS for Windows 2008 ==

=== Installing IIS ===

First install IIS from Control Panel > Programs & Features > Turn Windows Features ON or OFF > Add Roles:

[[image:iis1.jpg]]

On the window that pops up click on next and you will get this screen, tick Web Server (IIS) - on the prompt click on Add Required Resources and then on Next:

[[image:iis2.jpg]]

On the next window, click on next until you get this window - tick ASP and ISAPI Extensions:

[[image:iis3.jpg]]

Click on Next and Finish

=== Configuring IIS ===
====Create a new Website====
After successfully installing IIS, go to Control Panel > Administrative Tools > Computer Management > Services and Applications > Internet Information Services (IIS) > Machine Name > Sites > Default Website:

'''Client Server:''' Create a virtual directory called '''neosys''' linked to {{Client server Installation Location}}neosys.net as shown in the screenshot below

'''WIN3:''' Right click on Sites folder and click on Add Website. Create a website called "clientname" linked to {{NEOSYS server Installation Location}}neosys.net; This step requires a binding to be setup, so setup HTTP binding with a port number which is unique, unused and one greater than the previous port used in the series which is 8123 onwards. The highest port number used in this series can be found by checking IIS manager -> NEOSYS ->Sites.

[[image:iis4.jpg]]

====Link Data Folder====

'''Client Server:''' Within the neosys website folder create a virtual directory called '''data''' linked to {{Client server Installation Location}}data

'''WIN3:''' Within the "clientname" website folder create a virtual directory called '''data''' linked to {{NEOSYS server Installation Location}}data

[[image:iis5.jpg]]

====Allow file uploads====

'''Client Server:''' create a folder '''images''' under D:\neosys and within the neosys web site folder create a virtual directory called '''images''' linked to {{Client server Installation Location}}images

'''WIN3:''' create a folder '''images''' under D:\hosts\clientfolder and within the "clientname" website folder create a virtual directory called '''images''' linked to {{NEOSYS server Installation Location}}images

[[image:iis7.jpg]]

====For Mac Users to access Jobs and Timesheet====

'''Client Server:''' In the IIS Default Web Site create a another virtual directory called neosys2 linked to {{Client server Installation Location}}neosys.w3c. Under neosys2 virtual directory create 2 more virtual directories for data and images which are linked to {{Client server Installation Location}}data and {{Client server Installation Location}}images respectively

'''WIN3:''' In the "clientname" website folder create another virtual directory called neosys2 linked to {{NEOSYS server Installation Location}}neosys.w3c. Under neosys2 virtual directory create 2 more virtual directories for data and images which are linked to {{NEOSYS server Installation Location}}data and {{NEOSYS server Installation Location}}images respectively

[[image:iis6.jpg]]

After you add all virtual directories the tree map of the Default Website should look as follows:

[[image:iis8.jpg]]

====Configure file uploads besides adding the images directory====

'''Client Server:''' Go under IIS > Default Website > neosys

'''WIN3:''' Go under IIS>Sites>Clientname Website

Click on Handler Mappings and delete the ISAPI you see there

[[image:iis9a.jpg]]

Thereafter click on Add Script Map and fill in the details as follows –

Request path: *.dll

Executable:
*For Client Server: {{Client server Installation Location}}neosys.net\NEOSYS\dll\upload.dll
*For WIN3: {{NEOSYS server Installation Location}}neosys.net\NEOSYS\dll\upload.dll

Name: ISAPI

Click on OK and on YES in the confirmation box

[[image:iis9b.jpg]]
[[image:hm.jpg]]

====Editing the hosts file====
Edit the hosts file under c:\windows\system32\drivers\etc\ - delete the # sign next to 127.0.0.1 localhost and include the # sign before ::1 localhost

[[image:iis10.jpg]]

==== Solving IIS error 500 on uploading ====

To test if permissions are the problem, in grant full control to IUSR over the whole client drectory eg d:\neosys or d:\hosts\clientx in security tab of windows explorer and see if you can upload.

Regardless of the result, remove the full control permissions since they are a security risk.

If permissions are the problem then grant specific permissions as follows:

#images folder - read and write permissions (but not execute)
#dll folder - read and execute permission (no write permission)

== Disabling unsecure SSL3 protocol on Windows IIS web server ==

POODLE is an information leakage attack on client browsers while accessing web server that support the older SSL3 protocol. It is easy to prevent it by reconfiguring web servers to not support SSL3.

=== Securing IIS web server on win2003 and 2008 by disabling unsafe SSL3 protocol ===

#check if the web server is vulnerable (see section below)
#continue if vulnerable, stop if not
#create a file called IISdisableSSL3.reg
#open it
#accept to load info into the registry
#reboot the server (at any time later using standard NEOSYS rebooting procedure without disturbing users)

<pre>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
</pre>

=== Testing for IIS vulnerability ===

In a linux command prompt eg nagios login and replacing $HOST and $PORT with

*$HOST for host name like demo.neosys.com
*$PORT with something like 4430

=== A. Check you CAN connect to https server using TLS ===

openssl s_client -host $HOST -port $PORT

<pre>
nagios@vm1m:~$ echo|openssl s_client -host demo.neosys.com -port 443
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2DCCAUWgAwIBAgIQd0J0l4kJrpJHonAv5U8VLjAJBgUrDgMCHQUAMBoxGDAW
BgNVBAMTD2RlbW8ubmVvc3lzLmNvbTAeFw0wODA3MjcxOTUxMDNaFw0zNTEyMTIx
OTUxMDNaMBoxGDAWBgNVBAMTD2RlbW8ubmVvc3lzLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAxzwtoqq49vV7pyBQ6Ej+PvbB1QxkdsxNn5EZSLSOppCb
jNjV8fFa98unPR0pGM0UdjWMUYodj12c2pnIrfrtXv7pYf+iC1corPEY7607Icbs
rSOc5aFwnlUYpktoysV1G1crGYgYgXbXgVOUO9phHXJarpKf6SjVw3uXTLlmPUkC
AwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCwAAAAMAkG
BSsOAwIdBQADgYEAmgyW60pT62JuM8GH+KogHW7viaMsifXitm3BC/GfaORpJCox
aS20fAlzGyAlDe9nZWN4roLSxQv0laJkxyNPDuHvLJt1l0FVdk6/vGB6QH0KqM+S
UaUTLsDZ99UNS/inotobxD9vXuKl58Uoe2lu7r9vJ+1DWDC6AyueSZ6xnno=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 635 bytes and written 411 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 8A0A00002D51DE183AC2845C6B3FF4BC7485181B4DCBC1758E3A2D5399BDD71C
Session-ID-ctx:
Master-Key: B10B9370E4DF70E873873AB9851B3CEF19623E6ADA697955E375D931DEE8301D798B4CB14C8D33FCF1BA066C0CC23897
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885416
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

=== B. Check that you cannot CANNOT to https server using SSL3 ===

openssl s_client -ssl3 -host $HOST -port $PORT

==== CAN CONNECT = VULNERABLE = NOT OK ====

If you get this then you need to configure the server to prevent SSL3

<pre>
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
gethostbyname failure
connect:errno=0
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB3jCCAUugAwIBAgIQNj9FMjT1vIxGo2Mv2Ta9vzAJBgUrDgMCHQUAMB0xGzAZ
BgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTAeFw0wODAzMjUxMTIxMzFaFw0zNTA4
MTAxMTIxMzFaMB0xGzAZBgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEArRuijA8jz3qBm2ZZEwITIJLWIMlQmZxcUvOo
HNZL0+3oJuX0AQqtpRZMp/7ob9agngfwJQ36vK+424zcBbmKxA2MweKZRalN2jz+
rdr1oeZ6/Ff3r8+rCPFj/B8CfMOQbSv6YcR0kVc+8ugybB7qT6Nq5ZWOAczG3Ikt
4EnOlqUCAwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCw
AAAAMAkGBSsOAwIdBQADgYEAHIq5Gn2LiMgXFaUYrFEfHeajD4jAwdFw+zrjcBDZ
qM9LnhndHhdPogow9m9cCv1n57ne9rZL1v7w7Y6C53359hTUVZFqtHFfzcWnNyKD
uHD9a8QDk6/dSwBr/SWIE6OdFUYAj/kDXRQNB5H459spRVa3Yws8vpwrWZhoklxq
CQg=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 649 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: 441A0000EBC1D634B2CDB12924F9B980D2A4CF8C4DD6D3FB9728D3C74F62A8FE
Session-ID-ctx:
Master-Key: 38F040BE3E7098857B7CB9FF3B44937786F8F8C002B0042370B29F20EFB582833F9E24CFC8E6560AFD06751DC93412D3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885545
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== CANNOT CONNECT = NOT VULNERABLE = OK ====

<pre>
nagios@vm1m:~$ echo|openssl s_client -ssl3 -host demo.neosys.com -port 443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885702
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
</pre>

=== Enabling Internet Explorer 6 to access secured https web servers ===

To use Internet explorer 6 (on win2003 and XP-before-SP3) to access secured http web sites you need to enable IE6 to use TLS 1.0. Internet Explorer 6 is present in Windows Server 2003 and Windows XP-pre-SP3.

You can also disable SSL 2.0 and SSL 3.0 for additional safety. This good for later versions of Internet Explorer too.

[[File:IE_options.jpg]]

File:IE options.jpg

2014-11-06T09:00:47Z

Nikhil:

Procedures

2014-11-06T07:36:20Z

Nikhil: /* Teamviewer */

Here are procedures to be followed by Support Staff in respect to various technical matters in day to day operations of client issues.

== Handling Clients with Overdue Invoice ==
In order to maintain good payment speed by clients NEOSYS needs to restrict support to clients that dont pay their bills on time, however the degree of restriction needs to depend on an intimate knowledge of the client which cannot be expected from all NEOSYS support staff. Therefore we will use a simple escalation policy as follows:

=== Overdue Support List ===
NEOSYS SUPPORT MANAGERS WILL maintain an overdue list on a whiteboard visible to all support staff. Generally clients will go on the list immediately when their invoice is overdue and come off only after satisfactory commitment to pay have been obtained.

NEOSYS SUPPORT STAFF WILL discretely refer any calls for support from client on the overdue list to support managers for handling.

Managers may well instruct support to provide support on a case by case basis even if clients are on the overdue list. Being on the overdue list does not necessarily indicate a major issue with accounts

In case clients pressurize NEOSYS staff to provide support then the support staff must inform them that there is an issue with their account and that their request had been forwarded to the manager.

For the first week only of each quarter of the year, normal support should be provided for server failures and backup failures but nothing else.

== Handling Links and Email Attachments ==

'''DO NOT TRUST ANY LINK OR ATTACHMENT IN ANY EMAIL EVEN FROM HIGHLY TRUSTED PEOPLE OR ORGANISATIONS'''

These days you can no longer trust links or attachments in emails from anybody - even emails from highly trusted people like your bank.

If a personal computer or intermediate email server is hacked then even genuine emails sent out from it can be infected and modified in a hidden way that can result in the recipient being infected if they click or open anything in the email.

Therefore you should know and understand how to avoid, as far as possible, getting tricked and infected via emails.

Malware authors generally rely on the fact that most people devote no time at all to security precautions so a moderate cautious approach, slowing down a little to spending some time on security, even where it is apparently not required, is enough to defeat most attacks.

=== Links ===

The links in an email, even from someone you know and trust, can LIE to you about what website they will open and you may be taken to infected web sites that will attempt to infect your computer.

WHAT LINK/WEBSITE WILL BE OPENED MAY NOT BE WHAT IS SAYS IN THE BODY OF YOUR EMAIL!

Therefore, to use a link in any and all emails, first hover your cursor over it and check the bottom of the screen where you can usually see exactly what website will be opened, or, to be more sure exactly what web site you are opening do not click links in emails at all. COPY/PASTE THE LINK TO YOUR BROWSER

Make sure you know and trust the web site being opened.

#Carefully inspect the spelling of the domain name to avoid tricky look-alike fraudulent links eg hcsb.com instead of hsbc.com
#If you do not personally know the website then get independent confirmation from the sender. Reply to the email so that the sender can check the link you received has not been tampered with.

=== Attachments ===

There is no way to determine if an attachment, even from someone you know, has not been infected and is therefore dangerous. The only protection is to rely on anti-virus/anti-malware software in your computer.

You can check the names and file types/extensions of attached files to spot any obviously strange or unexpected attachments but this is not very effective.

Be careful that if there are a lot of attached files not to assume that all are safe because the majority are unsafe.

==Client Contact Report Policy==

Ensure that Client contact reports are sent to your manager within 24 hours of the meeting.

== Client Communications ==

If issues become contentious then voice, phone call or chat is REQUIRED. Emails are NOT sufficient.

If not possible to contact for any reason then an email MUST be sent stating so and suggesting or requesting a time to connect.

Every significant voice, phone or chat conversation MUST be followed up with an email confirming at least the jist of the communication.

cc Client managers (AND/OR BCC NEOSYS Managers) MAY be done if thought to be useful and/or appropriate.

== Client Password Policy ==
All client user passwords, including their initial one, are to be obtained via the user's email address using the password reminder/reset button on the login screen. [http://userwiki.neosys.com/index.php/Using_NEOSYS_Generally#What_is_NEOSYS_password_policy.3F (NEOSYS password policy)]

NEOSYS staff should never know users passwords therefore NEOSYS will not obtain and grant user passwords. The reason for this is that in the event that users lose their passwords to other people who then login unauthorised then suspicion could fall on the NEOSYS staff who know their password.

All parties concerned, including client management, client users and NEOSYS support staff, benefit greatly from trusting that if something in a NEOSYS database is registered as having been done by a particular user then it was not in fact somehow done by NEOSYS support staff. Nothing should be done that would break such fundamental trust. To achieve this, NEOSYS support staff must never log in as particular users, never ask for users passwords and generally enforce the idea that all work logged as being done by users IS done by users.

Very limited amounts of work by NEOSYS support staff either in person or remotely using teamviewer is acceptable while a user is logged as long as the user login was performed by the user themselves, the user is present and the user specifically agrees with the work being done.

=== Support requests from ordinary client users ===
Any support requests concerning inability to obtain passwords will be forwarded to known skilled users on the client staff since this is the most efficient (not fastest) way to handle such issues.

=== Support requests from senior client management ===
Any support requests concerning inability to obtain passwords by senior client management users shall be handled directly by NEOSYS support staff in any way convenient to resolve the issue in the quickest possible time rather than the most efficient.

Bearing in mind that NEOSYS staff should never know user's passwords this will probably involve NEOSYS staff using the Password Reminder/Reset button to send a new password to the user.

=== User Defined Passwords ===
NEOSYS will provide user defined passwords in very special cases which must be pre-approved case by case by NEOSYS management. NEOSYS will not approve this due to the reasons mentioned [[Procedures#Client_Password_Policy|here]].

Currently this permission has only been granted to one NEOSYS client with several hundred of databases.

== Handling client issues and requests==

All support issues must be dealt with through phone/email/chat. Support Staff can schedule client visits for User Training but should not schedule client visits solely for providing support for petty issues.

=== Handling users who login with other people's NEOSYS usercodes ===

This can cause a lot of confusion in both the client and NEOSYS support. It may also indicate that the correct NEOSYS monthly licensing fee is not being paid. There is no valid reason for anonymous logins or sharing logins between multiple users.

Therefore if NEOSYS support team get requests for support about using NEOSYS from users who are not registered properly in NEOSYS with an personally identifiable user code, name and email then the following email should be sent cc admin@neosys.com.

No exception should be granted to clients without NEOSYS management approval.

<pre>
Dear NEOSYSUSER,

Please note that in order to receive support from NEOSYS you must personally have an identifiable user code, name and email address registered
in NEOSYS.

We can create new user account for you with your management approval. This may or may not have an impact on the NEOSYS monthly licensing fee
depending on the agreement in force.

Please let us know what you would like us to do.

Best Regards,
NEOSYS Support
</pre>

===Handling emails requesting support===
At times, clients forward old emails, with new issues or do not bother putting the correct subject line for new issues. In such situations, support should fix their email by deleting the irrelevant content and changing the subject and add a comment like "PS Please don't forward old emails for new issues, either start a new email or delete previous content and put a new subject."

=== Handling Requests to do Client work ===
NEOSYS Support staff must not agree or offer to do work on behalf of the client.

This is because doing client work while logged in as NEOSYS breaks security rules. Support uses the NEOSYS username which has unrestricted access, so when a user requests Support to do some work which they don’t have access to, and if Support agrees to do the work, the client has successfully defeated the security rules by accessing features that they are unauthorized to access.

=== Updating Clients about unresolved issues ===
Support should proactively inform clients if an issue is not solved within the same day it was raised, after judging the urgency of the issue and the time it was raised. An email to the client who raised the issue, before the end of each day, is a best practice that keeps the client updated and other support staff too. This email should be sent regardless of the degree to which the issue has been resolved or if the issue is unresolved. If the issue is unresolved, the email should explain why and also explain the cause of delay.

=== Handling new USER creation ===
Support staff should create new USERS for clients when requested by authorised person. Clients should not be discouraged to create new users. User statistic is reviewed periodically and clients are billed as per user usage. Over time old USERS are replaced with new USERS. The USER code is the first name of a user.

New user requirements :-
#Full name
#Email address
#Group level / User with similar authorisation.

=== Handling letterhead change requests ===

Support staff should reject any requests that requires the letterhead to be setup on the TESTING dataset before it is setup in the MAIN dataset.This is to reduce double work for support staff and to ensure that clients have a clear understanding of their requirements and also send the correct logo image.
The MAIN dataset can be copied to the TEST dataset for any kind of testing.

=== Handling error messages ===

'''Important:''' Before Attempting to resolve client issues, please ensure that we have secure access to the NEOSYS server.

#The very first step is understanding client problem.
#Ask the client what error does he gets on the screen.
#If error seems to be familiar then resolve it over the phone.
#If error is unknown then ask user to send a screenshot of the error displayed along with the options used (basically you need to know HOW to replicate the error)
#Upon receipt of the error, check in all the wikis for a solution.
#If the issue is unknown or you don’t understand it clearly ask the user then use remote support to gain access to the users desktop to view how to replicate the error.

If it is new issue then report by escalation the same issue to your manager with a brief explanation.

=== Addressing Technical support emails ===

In the case of technical support issues, address emails to the IT person and cc the complete group of recipients of backup emails and other NEOSYS alert emails. This allows both NEOSYS and client IT staff to take credit for resolving issues that NEOSYS raises instead of working in the background unacknowledged.

Technical support issues include backup failure, server failure, missing alert email, server connectivity issues and port forwarding issues and many other issues.

=== Acceptable report format when handling issues in NEOSYS reports ===

NEOSYS Support must only resolve issues in NEOSYS output first. This is because only NEOSYS outputs can be trusted and user versions in Excel or PDF could be copied wrongly or edited by the user.

In case users send reports in excel or other formats, get them to send the original NEOSYS HTML report as an attachment or copy-pasted in email.

=== Handling issues with totals on reports ===

If a client has a problem with any total output by NEOSYS software then NEOSYS support will advise them which other NEOSYS report or reports provide a complete breakdown of the total (if necessary, to individual transactions) and ask the client to locate any offending transactions themselves.

NEOSYS support staff will handle any issues where the total on the breakdown report does not add up to the total on the summary report.

Reconciling totals can be hard if there are many transactions involved. Regardless of how hard it may be, reconciliation is an operational task for users not for support staff since NEOSYS support staff will not get involved in understanding client transactions or data.

==== Trial Balance and Financial Statements ====

NEOSYS support staff do not have to prove or trace any figures in NEOSYS Trial Balance Reports or any financial reports. If a figure is stated to be wrong by the user, then NEOSYS support staff should ask for proof or say NEOSYS is confident that the figures are correct unless proved otherwise.

NEOSYS support staff should point out reports in NEOSYS which will support the figures in question but not actually run the reports. Support staff can suggest the users to refer to detailed ledger accounts to prove balances.

==Handling Browser related issues in NEOSYS==
See [http://techwiki.neosys.com/index.php/Technical_/_Hardware_requirements#NEOSYS_Software_Browser_and_OS_Requirements NEOSYS browser requirements]

Clients frequently ask [http://userwiki.neosys.com/index.php/General_FAQ#Why_doesnt_NEOSYS_support_my_XYZ_browser.3F Why NEOSYS doesn't support other browsers]

To avoid browser errors, all new users must follow the steps given in [http://userwiki.neosys.com/index.php/Using_NEOSYS_Generally#Getting_started_with_NEOSYS Getting started with NEOSYS] before logging in to NEOSYS for the first time.

To troubleshoot browser related errors see [http://userwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_Web_Browsers Troubleshooting Web Browsers]

Users must clear browser cache after every NEOSYS Upgrade to avoid errors. See [http://techwiki.neosys.com/index.php/Upgrading_NEOSYS#Sample_email_to_be_sent_to_clients_who_face_issues_due_to_failure_in_clearing_browser_cache Sample email to clients who face issues due to failure in clearing browser cache]

Pop-up blockers and any 3rd party toolbars must be deactivated/switched off or else certain pages and alert messages while using NEOSYS do not appear as a result of blocking from either the pop-up blocker or toolbars with built-in pop-up blockers.

NEOSYS support should ask users to Reset browser (See [http://userwiki.neosys.com/index.php/Reset_Browser Reset browser]) if they notice any user browsers which have pop-up blockers or 3rd party toolbars installed.

NEOSYS Support should additionally ensure that under Internet Explorer > Tools > Internet Options > Advanced > Browsing - the items Disable script debugging (Internet Explorer) and Disable script debugging (Other) are '''UNTICKED'''. This is because if NEOSYS generates any javascript error message, the same would disappear in the bottom left corner of a window, which in turn helps the programmer fix the error. This must be done after every Factory Reset.

== Handling NEOSYS Upgrade==
See [http://techwiki.neosys.com/index.php/Upgrading_NEOSYS Upgrading NEOSYS]

== Using Support Tools ==
=== Website Live Support ===
www.neosys.com is equipped with a Live Support software and clients can visit the website, click on this link and chat with any of our support staff, without the need for any installation. The client has to fill in their name and email address to connect to an available support personnel. During non-working hours, the Live Support icon on the website automatically displays "offline".

NEOSYS Support personnel who are authorised to provide such support, need to download a software called Kayako Live Support from the link below

http://www.neosys.com/support/LiveResponse_3.1.1.122-STABLE.exe

Once downloaded the account needs to be setup as follows:

* Account Name: (as provided by NEOSYS IT)
* SupportSuite URL: http://support.neosys.com/
* User Name: (as provided by NEOSYS IT and usually same as Account Name)
* Password: (as provided by NEOSYS IT)

The first time the account is setup, you need to close Kayako Live Support completely and restart for it to log in and work properly.

=== Teamviewer ===
Since Teamviewer allows no restriction on access once a fixed pass is installed, Support must not install fixed pass on teamviewer however convenient it might be.

RULE: NO FIXED PASS TO BE INSTALLED ON TEAMVIEWER IN ANY NEOSYS OR NEOSYS CLIENT COMPUTER

Running teamviewer live from a web link is fine because it does not allow installation of a permanent password

For certain tasks that require temporary install of Teamviewer on the client servers (e.g. upgrading Cygwin remotely), use Teamviewer 7 on the server as well as Support staff computer. Contact NEOSYS IT for commercial license of Teamviewer 7.

To support client users who use the latest version of Teamviewer, support staff must also install the latest Teamviewer version available alongside Teamviewer 7.

== Documenting Processes in Wiki ==
NEOSYS Support staff must be in continual learning mode. This is mandatory for support staff and is not an option. Support must read, learn and understand everything in the support emails and ask questions if they don't understand. This understanding must be transferred into wiki in the form of new articles and improvements to existing articles.

===Avoiding duplication of text in wiki===

Duplication of text in wiki is to be avoided almost at any cost. Duplication has the problem that when one copy is changed or improved in future then it is highly likely the editor will fail to update the other copy or copies and wiki will over time become an inconsistent mess.

There are several ways to avoid duplication:

#Two or more procedures which have significant areas of duplication can be rewritten as a single procedure with alternatives in the middle of the procedure
#Wiki Templates- Templates reproduce the same text in all places and editing one place edits all places. See [[How to create templates in wiki]]
#Wiki links- Only put the text in one place and put links to that in all the other places that it is appropriate.
#Place a note in all copies something to the effect that "This is similar to x, y and z". This alerts any future editor of all other places in wiki that might also have to be updated.

Future modifications in one place may or may not be appropriate to other places. The editor must decide whether to change one or all places

=== Cutting and Pasting NEOSYS Maintenance Mode Messages into Wiki ===

Error messages expressed as images are not searchable.

Therefore SELECT THE TEXT OF MAINTENANCE MODE WINDOWS using right click on window heading, Edit, Mark, Copy .. not graphical copy.

Then paste the text into wiki and surround with "< pre>" and "< /pre>" tags (without the space) as follows:

[[image:loginmessage.jpg]]

the result is searchable text as follows ...

<pre>
╔════════════════════════════╗
║ NEOSYS SECURITY ║
║ What is your name ? ║
║ ║
║ [ ] ║
║ ║
║ Please enter your name, ║
║ or press Esc to exit. ║
╚════════════════════════════╝
</pre>

== Use of personal email addresses by NEOSYS support staff ==

NEOSYS support staff MUST NOT use any personal email addresses for NEOSYS business.

The xxxx.neosys@gmail.com addresses that are created by support staff for themselves on joining are also considered personal email addresses and must not be used for NEOSYS business. These email addresses might be linked to NEOSYS wiki accounts but that doesn't matter because wiki is not confidential.

== Handling Nagios Client Monitoring system ==

NEOSYS support staff on duty has to follow the below outlined procedures in case of any Nagios items showing a critical or warning message for any service. Failure to schedule appropriate downtime will lead to REDUNDANT ALERTS from NAGIOS every hour.

# Nagios is required to be checked first thing in the morning and any critical or warning messages need to be dealt with to resolve the same at the earliest.
# Some of the messages could be related to backup failures and the usual procedure as stated in [[Backup_and_Restore#Handling_failure_and_warning_messages_on_nightly_backup_alerts|Handling failure and warning messages on nightly backup alerts]] needs to be followed. In case the backup issue isn't resolved by 9:30 am, the Nagios service needs to be scheduled with downtime for a minimum of 2 hours and maximum until 1 am next day if the issue cannot be solved.
# In case any HTTPS, SSH or PING service is down, immediate action is required and the relevant IT people at the client side needs to be contacted to get this resolved. A downtime of 2 hours is required to be scheduled with further intervals of 2 hours incase this is not resolved. Support staff shouldn't schedule downtime till 1 am next day, just to get rid of the alerts for the day. Proactive follow up with the client is required to get this resolved before the business day - more so, if there is a weekend ahead.
# In case the HTTPS, SSH or PING service goes down during the day, a grace period of 20 minutes is given before the issue is reported to the client IT. This helps incase there is any temporary internet connection issue at the client or along the internet route.
# In case of "Backup not changed" warning status which occurs if the client has not interchanged the USB before 12 noon on that day, no action is required from the support staff and a downtime until 1 am next day needs to be scheduled.

== Handling lack of remote access to NEOSYS server located in client’s premises ==

If access to the NEOSYS server is lost then we must determine the root cause by:
# Checking if the server is UP and running
# If yes, please check internet connectivity on the server
# If there is connectivity, please check the router for connectivity issues

'''Sample Response:'''
<pre>
Dear XYZ,

Please note that we have currently lost access to the NEOSYS server. The server seems to be down at the moment and it seems that
NEOSYS processes are not running on the server.
Kindly check if the server is UP and running. If yes, please check internet connectivity on the server.
Do keep us posted on the server status so we can test connectivity from our side as well.

Best Regards,
</pre>
== New Router (Port Forwarding) ==

If you have changed your router then you may notice that external access to NEOSYS is unavailable.

'''Solution:'''

Setup a permanent access for NEOSYS by reconfiguring the Router / Firewall for Port Forwarding from Router to the NEOSYS Server as follows:
# Port 19580 > 19580 for SSH
# Port 4430 > 4430 for HTTPS

You can see [http://portforward.com/ Set Up Port Forwarding] to learn how to configure your Router.

To see how to test/ troubleshoot port forwarding settings, go to [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting Port Forwarding]].

'''Sample Response:'''
<pre>
Dear XYZ,

You are requested to kindly setup a permanent access for NEOSYS by reconfiguring the Router / Firewall for Port Forwarding from Router to
the NEOSYS Server,i.e. port 19580 for SSH and port 4430 for HTTPS.

Once this is complete, kindly send me an email to confirm the same so that we could test connectivity from our end as well.

Best Regards
</pre>
== Creating and Handling passwords ==
Passwords made out of a pass phrase should be at least 10 characters since using initials results in a lot of i's and a's etc which reduces the effectiveness of the password and allows hacking via brute force guessing especially since windows doesnt slow down logins even if it sees thousands of password attempts.

=== Creating a password ===
Passwords are generated from a pass phrase and it is important to create a very difficult to guess pass phrase.

For example, a good pass phrase would be: '''Today is a good day and it is the best time to go for a holiday'''

The password for this would be '''Tiagdaiitbt2g4ah'''

The important instructions for the above are:
#You have to take the first letter of each word and that makes your password (i.e. by using initials)
#Wherever any word starts with a capital, then you have to take first letter as a capital (eg. For Today you will take T)
#Replace '''and''' with '''&'''
#Replace '''to''' with '''2'''
#Replace '''for''' with '''4'''

=== Handling passwords ===
#Never send the actual password - always send the pass phrase
#Make sure that the password created out of the pass phrase is at least 10 characters long since using initials results in a lot of i's and a's etc which reduces the effectiveness of the password and allows hacking via brute force guessing especially since windows doesnt slow down logins even if it sees thousands of password attempts
#Pass phrases are never to be sent by email, whatever the case maybe.
#Pass phrases can be sent by chat - however they have to be broken down in two parts and sent separately over two different messengers or if you are using Gtalk then use the 'off the record' mode.
#Using SMS to send pass phrases is the best known way as of now.
#If you save the passwords on your system in an file then:
#*Ensure that you only store pass phrases in the excel file
#*Ensure that the excel file is encrypted with a master password

== NEOSYS Maintenance Window ==

The NEOSYS server is functional from 6am – 1am. There is a 5hr window gap for the system to perform updates & backups.

The 5hr maintenance window:-

1. At 1am – The server performs a data backup on a USB (for the respective clients) & once the backup has been completed, the system automatically generates an email addressed to the neosys staff & the respective clients.

2. At 2:45am – The main data over writes the test data on the server.

3. At 3:00am – The server by itself performs an update for Windows.

4. At 4:00am – The server performs a backup to the headquarters for clients, and then automatically generates an email addressed to the NEOSYS staff & the respective clients.

5. At 6:00am – The server starts up NEOSYS.

== Amending/Reposting Journal Entries ==
In certain exceptional cases, amending/reposting of journal entries is allowed for a brief period of time to enable clients to present reports in an alternative manner. This would be subject to NEOSYS would requiring a written LETTER OF APPROVAL duly signed and stamped by the highest management of the company.

In case the client management decides to allow editing/reposting of journal entries, the following procedure is to be followed:
# Client must de-allocate vouchers which need to be amended
# NEOSYS support staff must wait for a day so that de-allocated vouchers are copied into Test database
# Authorise required users to amend and repost (without record) '''in Test database only''' ( While reposting, we have 2 options i.e. with record and without record. The 'with record' option causes the system to maintain a history of edits made. Hence, we want to repost without record so that there is no trace of the edit in the system)
# Amend a substantial number of vouchers in Test and verify them. To verify if the edits made are reflected:
# *Print all ledgers for the whole year
# *Cross-check all balances
# Once you verify the balances are correct in Test database, grant users permission to amend and repost in the Live database.
# Ask users to amend and repost vouchers in the Live database.
# Cross-check all balances for the current year.
# If you successfully verify the balances, revoke permissions immediately. Else, wait for 24 hours and revoke permissions irrespectively.

== Removal of unauthorized third-party software on client servers ==

Rule: Any third party software that is discovered by NEOSYS support staff on client servers that has been installed without the agreement of NEOSYS should be uninstalled immediately on discovery.

However purposeful a software is, NEOSYS is contractually responsible for support and there are too many opportunities for poorly installed software to cause unpredictable damage to the NEOSYS database so NEOSYS has to have a clear and safe and simple policy to ensure the integrity of client data. Installing software without prior discussion with NEOSYS by itself indicates that insufficient care and consideration as been given to possible issues.

Any software required by client IT for some purpose may only be installed after discussion and agreement from NEOSYS support staff concerning the configuration and operation of the software.

The NEOSYS Software Licence and Support agreement requires that where NEOSYS software is installed on client servers that a dedicated server is provided and dedicated implies that no other software may be installed without the agreement of NEOSYS support.

== Configuring tunnelier to autologin on opening tlp files ==
If you have many tunnelier tlp files in a directory and connect by opening the desired tlp file the, instead of opening the file and then clicking Login you can also right click the file and select Connect.

Alternatively, you can configure tunnelier to login (connect) automatically by following the procedure mentioned below. (Even if you configure automatic login, you can still open and not login by right clicking and choosing Open)

=== Windows 8 ===

Cannot be done using standard Windows UI. Some download utilities can do it. TODO put a safe one in neosys.com/support

=== Windows XP/Vista/7/2008 ===

#Go to My Computer
#Click on Tools -> Folder Options [[image:tunnauto-1.jpg]] 
#Click on File Types
#*Select TLP (Bitvise Tunnelier Profile) [Type "TLP" to find it quickly]
#*Click on Advanced [[image:tunnauto-2.jpg]] 
#Click on Connect and Click on Set Default [[image:tunnauto-3.jpg]] 

==[[ New Employee Training Checklist]]==

==[[ New Client Training Notes]]==

Setting up and using remote support

2014-11-06T07:16:26Z

Nikhil: /* Upgrading Cygwin remotely */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrading cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

'''Suggested method to maintain connectivity during cygwin upgrade'''

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

TeamViewer must be uninstalled after the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 7 which does not give this error. Contact NEOSYS IT for TeamViewer7 commercial license. You must have the client server's administrator password to login using TeamViewer.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created or upgraded as follows:

It is recommended that you inspect the version of the pre-installed script against the http version and upgrade to the latest.

First find the text of the script at http://www.neosys.com/support/upgradecygwin.cmd

Then, assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.
See [http://techwiki.neosys.com/index.php/Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F How to check Cygwin version]

Login using tunnelier. If successful, close your Teamviewer on the server

==== Upgrading Cygwin with server reboot ====
TODO: To be revised

If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

User talk:Ruku

2014-10-22T11:17:22Z

Nikhil: Welcome!

'''Welcome to ''NEOSYS Technical Support Wiki''!'''
We hope you will contribute much and well.
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].
Again, welcome and have fun! [[User:Nikhil|Nikhil]] ([[User talk:Nikhil|talk]]) 15:17, 22 October 2014 (GST)

User:Ruku

2014-10-22T11:17:22Z

Nikhil: Creating user page for new user.

MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE

New Employee Training Checklist

2014-10-22T05:31:16Z

Nikhil: /* Day 1 */

==Day 1==
#Create email Id eg :- firstname.neosys@gmail.com
#Create Skype ID eg:- firstname.neosys
#Download Dropbox and create an account in Dropbox using the gmail account
#Create thunderbird inbox’s support@neosys.com, backup@neosys.com, nagios@neosys.com
#Create signature in thunderbird
#Create password for the computer/laptop
#Mails are sent out in Calibri font with font size 11
#Password file:- This file contains all usernames and passwords. File name should be generic. The file is password protected, please refer link to create appropriate password for the file (http://techwiki.neosys.com/index.php/Procedures#Creating_and_Handling_passwords) .File should be placed under nested folders. The aim is to protect the file from being
#Create file to store client info ( clients details) column names:- host name, company name , location of company, time zone, which server is the NEOSYS hosted
#Make vm1.neosys.com as Firefox home page
#Go through Procedures in wiki
#Introduce nagios
#Read wiki page “Backup and Restore”
#Support suit login ID , wiki ID
#http://network-tools.com

==Day 2 ==
#Check the clients file
#Explain backup procedure
#Show backup emails
#Share backup files
#Make the candidate do the morning backup-check routine.
#Explain http://techwiki.neosys.com/index.php/Procedures#NEOSYS_Maintenance_Window
#Explain different backup failures
#Various checks on why and how a backup failed. ( mail in inbox, nagios trends, neosys log, server event viewer)
#Share canned file
#NEOSYS login page and configuring NEOSYS
==Day 3==
#Go through Canned mails.
#Show examples on when each canned mails can be sent
#Do backups for the day. Mark backup in backup file.
#Schedule downtime on nagios
#Various errors in Troubleshooting nagios to be looked at http://techwiki.neosys.com/index.php/Handling_Nagios_Client_Monitoring_System

==Day 4==
#Handle backup issues, critical issues on nagios
#Email clients if they need to be informed about issues.
#Explain Getting Started and NEOSYS login process
#Explain Media Schedule (per brand, Client Brand file, Vehicle file, specification, material, dates, free ads, Supplier file, booking, certifying, invoicing)
==Day 5==
#2 Assignments on Schedules ( booking, cancelation, rebooking, certify & invoicing )
#Creating on various client and brand , vehicle and supplier files
#Practice Media module
==Day 6==
#Handling damaged file with examples
#Quiz on Procedures, Nagios and Handling damaged files
==Day 7==
#Jobs Module completely and practice
#Explain Authorisation file (locks and keys, user ID , various levels etc)
==Day 8==
#How to Upgrade NEOSYS
#Upgrade a client
#Tested on TEST installation.
#Explain Zone edit, DNS
==Day 9==
#Free ads in Media schedule , how to replicate issues of clients
#Backup and Restoring NEOSYS
#Moving NEOSYS to new server/location etc
#Consolidated Backup ( Autologin.sh)
#System configuration file features and testing each field

==Day 10==
#Request for a quick demo from the new staff

Setting up HTTPS

2014-10-21T12:21:19Z

Nikhil: /* Re-installing Certificates from selfssl */

== Creating a single HTTPS web site on Windows 2008 ==

Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the SSL utility is needed. This utility is already installed and available on NEOSYS servers.

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

[[image:sslwin2008-1.jpg]]

C:\Program Files\IIS Resources\SelfSSL>selfssl.exe /N:CN=NEOSYS-SERVER /K:1024 /V:9999 /S:8 /P:4430
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.

Do you want to replace the SSL settings for site 1 (Y/N)?y
Error opening metabase: 0x80040154
C:\Program Files\IIS Resources\SelfSSL>

*/n:CN='''hostname''' indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site is hosted on nl1/nl1b or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is hosted on the client server.
*/K:Key size. Use default 1024
*/V:9999 means valid for 9999 days
*/S:8 is the site number in this case (site number is shown in IIS management screen)
*/P:4430 is the non-standard port number NEOSYS uses by convention for SSL/HTTPS instead of the standard 443. 4430 can be replaced with custom port numbers in case the installation is on a NEOSYS server. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_site_in_IIS Creating a site in IIS on NEOSYS hosted server]

Ignore the '''Error opening metabase: 0x80040154'''

Next go to the IIS Manager and make sure the certificate was created and stored. Creating a certificate does not make it automatically bind to the website.

[[image:sslwin2008-2.jpg]]

Once you make sure it is created, then click on Sites > Default Website and in the right pane select Bindings:

[[image:sslwin2008-3.jpg]]

In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and press click on OK:

[[image:sslwin2008-4.jpg]]

Then test the site from explorer to make sure it works.

== Creating a single HTTPS web site on Windows 2003 ==

Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the ssl utility is needed.

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

then

[[Image:SelfSSL.png]]

C:\Program Files\IIS Resources\SelfSSL>selfssl /v:9999 /s:'''''866651215''''' /p:4430 /n:CN='''''hostname'''''
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.
Do you want to replace the SSL settings for site 866651215 (Y/N)?y
The self signed certificate was successfully assigned to site 866651215.

/v:9999 means valid for 9999 days
/s:'''''866651215''''' is the site number in this case (site number is shown in IIS management screen)
/p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443
/n:CN='''''hostname''''' indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site
is hosted on nl1/nl1b or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is
hosted on the client server.

You probably made a mistake in the site number if you get the following message.

Error opening site metabase key: 0x80070003

== Creating multiple HTTPS web sites on NEOSYS hosted server ==

=== Creating a site in IIS ===

All clients hosted on NEOSYS servers use the same IP address, but different unique HTTPS port numbers starting from 4431 onwards. Similarly HTTP ports are configured with unique port numbers starting from 8123 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.

==== Creating a site in IIS in Windows 2008 ====

A port binding for HTTP is already created while configuring IIS.

Follow the procedures as explained in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008 Creating a Site in Win 2008] and add a port binding for HTTPS.

==== Creating a site in IIS in Windows 2003 ====

The https options are only available after running selfssl (see below).

[[Image:httpadvancedwebsitesetup.png]]

=== Testing access to the new HTTPS web site. ===

Make a subdomain '''clientname'''.hosts.neosys.com

Open "https://'''clientname'''.hosts.neosys.com:44XX/neosys" in IE where 44XX is the designated port number

If you get certificate error:

#check that the selfsll /n:CN='''clientname'''.hosts.neosys.com matches the domain name used in IE
#install the certificate into the client computer (double click the padlock, view certificates etc)

Closing all internet explorer versions and restarting is necessary for installed certificates to become effective.
===Export, Remove and Import Certificates ===

This step applies to both Windows 2003 and Windows 2008.

The EXPORT/REMOVE/IMPORT stage is necessary where there are multiple https sites on one server since any subsequent SELFCERT seems to destroy all other sites done with SELFCERT that have not been exported/REMOVED/imported.

Exporting and Importing certificates in Windows 2008 is just one part of the step to add certificates to sites and you need to follow the usual instructions to "bind" the certificate to a particular site.

Certificates must be saved in d:\hosts\certificates preferably by name for easy reference otherwise by site number. If this is not done then if certificates need to be regenerated then you have the pain of supporting re-import of certificates by all users.

#Export the certificate to a pfx file from IIS Manager > Click on Certificate > Export (to d:\hosts\certificates - password to be set is in a text file in the same folder)
#Remove the certificate from IIS Manager
#Import pfx certificate back from IIS Manager
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option [[image:import-export.jpg]] 

==Setting up HTTPS for installations with more than 1 database==

In cases where there are multiple databases within the same installation, the website can be made accessible via different URLs, one for each database, like database1.hosts.neosys.com and database2.hosts.neosys.com, though they will finally be pointing to the same website. In order to assign multiple URLs to the same website, simply repeat the steps for Creating a Single website in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2003 Windows 2003] or [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008 Windows 2008] for each HTTPS URL that is required.

== Troubleshooting setup of multiple HTTPS websites ==

SelfSSL allows only one website to have SSL at a time in Windows 2003. However to avoid any issues in the future the solutions below have been provided for both Windows 2003 and 2008.

=== Re-installing Certificates ===

Sometimes due to an unknown issue, site/s stop working and hence there is a need to re-install the site certificate.

===== Re-installing Certificates from saved PFX files =====

#Unbind the certificate from the site
#Remove the certificate from IIS Manager
#Import pfx certificate back from IIS Manager
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option [[image:import-export.jpg]] 
#Rebind the certificate

===== Re-installing Certificates from selfssl =====

In case there is no saved PFX file available to import(probably because the export/remove/import certificate step was not done during installation), then a new certificate must be created using selfSSL.

If users have installed certificates in their browsers then they will have to reinstall them again to avoid the usual "certificate not trusted/matching" type problems.

'''Steps'''
#Unbind the certificate from the site
#Remove the certificate from IIS Manager
#Create a new certificate as shown in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008 Creating a single HTTPS website in Windows 2008]
#Bind the new certificate to the website
#Do the export/remove/import step to have a working PFX file and avoid problems in the future. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Export.2C_Remove_and_Import_Certificates Export,Remove and Import]

Handling Nagios Client Monitoring System

2014-10-21T12:04:45Z

Nikhil: /* Backup -> Impossible alert */

= Procedure to handle Nagios =

The procedure that support staff need to follow while handling Nagios is documented [[Procedures#Handling_Nagios_Client_Monitoring_system|here]]

Nagios is accessed via this link: http://monitor.neosys.com/nagios3

= Nagios services =

Nagios is configured to display information pertaining to all NEOSYS client's server statuses which include multiple services such as:
# HTTPS: Most of NEOSYS clients are configured to have external web access via secure HTTP protocol (port 4430) from outside office. Nagios is configured to check port 4430 on a regular interval of 10 minutes and display any issues in accessing the same.
# SSH: As part of the support contract, NEOSYS should have external secure access to the client server usually over port 19580. Nagios is configured to check this port on a regular interval of 10 minutes and display any issues in accessing the same.
# Ping: Nagios is also configured to ping the client router as a measure to check if router responds incase the NEOSYS server is down.
# NEOSYS: This service works in a reverse direction, and the NEOSYS installation on the client server sends information such as databases running, current backup status, internal and internet IP addressess etc to Nagios on a regular interval of 10 minutes.

Some key information about Nagios is as follows:
* Nagios is also configured to display information related to internal servers.
* Clients hosted on a NEOSYS cloud server might not have services such as SSH or PING as this is monitored as part of the internal server service.
* Nagios sends out email alerts to support2@neosys.com (which is forwarded to support@neosys.com) from 8 am to 12 midnight on all Dubai working days (Sun-Thu). No alerts are sent out on Fri and Sat, unless they are for NEOSYS internal servers.

= How to handle a service error =
# Nagios Service Info - get there via various routes eg from Service Problems - then click on the service name (not the host name)
# Service Commands, Acknowledge this service problem (only services with status Warning or Critical have this option)
# Enter a note - explaining to yourself and your co-workers explaining how the problem is being handled and when to follow up

Notifications will be automatically resumed once the service becomes OK again.

The "Disable notifications" is not quite the same and shows as red on tactical summary screen.

===[[Backup_and_Restore#Updating_Nagios_incase_of_failures| Updating Nagios in case of backup failures]]===

=== How to stop ALL notifications ===

Useful to stop a massive number of alerts due to various causes.

#Nagios Process Info
#Enable/Disable notifications

=== Speeding up Nagios web interface ===

The usual F5 to refresh before the automatic 90 second refresh works but Ctrl+F5 doesnt.

=== Speeding up NEOSYS process checkins ===

You can force a neosys service checkin from NEOSYS maintenance mode (any process/database) press F5

MONITOR2

=== Adding the client to Nagios ===
This can be done by IT personnel of NEOSYS and needs to be escalated to them.

= Troubleshooting NAGIOS generally =
==Resolving “CRITICAL – Socket timeout after 10 secs” error message on NAGIOS==

===Error Message===

[[image:Vm3nagios.jpg]]

===Problem===

NAGIOS is not updating services like CPU Load, Drive Space C:, Drive Save D:,Explorer, Memory Usage etc.

=== Solution ===

Open Windows Task Manager and kill any nscp.exe process. Then, restart NSClient++ from the desktop or by going to Start> Programs> NSClient++

== Resolving “NEOSYS has not checked in” error message==

=== Error Message Explained ===
You notice a problem on NAGIOS indicating that '''''NEOSYS not checked in''' on a particular client server. This happens because NEOSYS is not updating NAGIOS.

=== Possible Causes & Solutions ===
#The maintenance window is left open. Make sure the maintenance window has not been left open in the server.
#Hung process on server. e.g.:- Fatal Error in Rev Restart. Follow steps in troubleshooting [[Troubleshooting_NEOSYS_Generally#Troubleshooting_Hung_processes| hung process]].
====The NEOSYS process is '''NOT''' running on the server====

Start the NEOSYS process and wait for 10 mins for NEOSYS to check into NAGIOS.
 

====The NEOSYS process '''is''' running on the server but still cannot connect to NAGIOS====

NEOSYS connects to NAGIOS using http. NEOSYS automatically detects and uses any http proxy configuration configured in Internet Explorer. If the Internet Explorer in the server can reach the internet then NEOSYS should be able to update to NAGIOS via the same proxy.

First check if Internet Explorer in the server can reach NAGIOS. Type the following link into the Internet Explorer in the server:

http://monitor.neosys.com

If you are asked to login then the Internet Explorer is working OK. You do not need to login. Just cancel and move on to the next step.

If Internet Explorer CANNOT connect to NAGIOS then resolving that fundamental issue will probably solve the NAGIOS connection issue too.

View the Internet Explorer proxy configuration as follows:

[[image:ieproxy.png]]

If Internet Explorer CAN connect to NAGIOS then check if there is an issue with NEOSYS's http proxy server configuration as follows:

#Search for '''UPDATE.$WG''' file located in the neosys\neosys. folder and open it using notepad or wordpad.
#You should find a message similar to the following:
<pre>
Connecting to 192.168.100.145:8080 failed: No such file or directory.
</pre>
Where the above appears to be some non-functional http proxy server ip/port number and is not the expected nagios server ip number.
'''A windows proxy command shows the same ip and port:'''

On Windows 2003/XP

proxycfg

On Windows 2008/Win7

NetSH WinHTTP import Proxy ie

Output:

<pre>
Microsoft (R) WinHTTP Default Proxy Configuration Tool
Copyright (c) Microsoft Corporation. All rights reserved.

Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Proxy Server(s) : 192.168.100.145:8080
Bypass List : 192.168.*.*;localhost;<local>

</pre>

'''Solution 1 - Remove the above setting to create a direct connection'''

#To remove the registry entries that ProxyCfg.exe creates,you must delete the WinHttpSettings value from the following registry key: <PRE>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings</PRE>
#After you do the above, confirm that the proxy details are deleted by running the proxycfg command 
#Next, restart the NEOSYS processes for the changes to be affected
 

'''Solution 2 - Configure a functioning proxy ip/port number'''
#Use the proxycfg command to enter a working proxy ip/port number/exclusion list: http://msdn.microsoft.com/en-us/library/aa384069%28VS.85%29.aspx
#After you do the above, confirm that the new proxy details are working by running the proxycfg command again
#Next, restart the NEOSYS processes for the changes to be affected
 

 Note: Please refer to the link before you restart NEOSYS processes [[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services]] 

On the client server, look at the text of UPDATE.$WG and other UPDATE.* files in the client's NEOSYS installation neosys/neosys folder for clues.

==== There is a problem with the USB media inserted for backup====
Refer [[Troubleshooting_NEOSYS_Generally#Error_message:_.E2.80.9CAbort.2C_Retry.2C_Fail.E2.80.9D|here]]

==== NEOSYS thinks it sees a new neosys2.exe upgrade file on the location http://www.neosys.com/support/neosys2.exe and attempts to download it ====

Refer [[Troubleshooting_NEOSYS_Generally#NEOSYS_process_window_displays_message_.22Upgrade_Downloading.22 | here]]

== Resolving "Cannot make SSL connection"==
===Error Message===
[[File:SSL.jpg]]

Users get the message "This page cannot be displayed" when they try to access the HTTPS website.
TODO Add screenshot

===Cause===
When there are multiple HTTPS sites on one server, any subsequent SSL self certifications seems to destroy all other sites with self certification where the export/REMOVE/import step is not done for some reason. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Export.2C_Remove_and_Import_Certificates Export, Remove and Import Step]

This issue is only evident after the server restart.

===Solution===
Re-install certificates. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Re-installing_Certificates Re-installing Certificates]

== Backup -> Impossible alert ==
===Possible Causes and Solutions===
If there is an error "Backup->Impossible" on Nagios check if the USB is properly inserted and schedule downtime to Nagios for 2 hours.

==[[Backup_and_Restore#Interchange_backup_USB_mail_reminder| "Change Backup" alert]] ==

== Troubleshooting Network Outages reflected in Nagios due to reassigning of router name or IP address ==
Nagios displays errors if a router name or the ip address it is monitoring have been reassigned.

We can resolve this issue by trying to find the ISP router ip address just before the NEOSYS server.

Steps:-
#Login to Nagios
#Click on Tactical Overview -> Network Outages and click on Blocking Outages to view [[image:tracert-00.jpg]] 
#You will now see the host/ISP which is down. Click on the status map icon to identify the host associated with the ISP, as shown below: [[image:tracert-01.jpg]] 
#From the Network Map displayed, identify the host associated with the ISP. [[image:tracert-02.jpg]] 
#If you already know the ip address of the host then skip to next step else, in Nagios, click on Host Detail, then on the hostname identified earlier and From the Host Details shown, save the host url. [[image:tracert-03.jpg]] [[image:tracert-04.jpg]] 
#Log onto www.network-tools.com:
#*Select Trace
#*Enter the host's ip address if already known or host url
#*Click on Go [[image:tracert-05.jpg]] 
#The trace route should complete successfully revealing the IP address of the ISP just before the NEOSYS server. [[image:tracert-06.jpg]] 
#You can now login to zoneedit and update the ip address of the host.
#Check Nagios.
== Nagios reports a hung process ==
===Possible Causes and Solutions===
Refer link [[Troubleshooting_NEOSYS_Generally#Error_message:_.22Read_error_in_the_operating_system_file.22|here]]

==Explorer.exe not running ==
Nagios will display this error for only nl1 at the moment.

===Possible Causes and Solutions===
This error means that the server has (for whatever reasons) rebooted and stuck at the Windows login prompt for someone to enter the username & password. (More info on explorer.exe is available at http://en.wikipedia.org/wiki/Explorer.exe)

Solution to this problem would be to login via Tunnelier and open up Remote Desktop Connection.

=Configuring Sonicwall firewall to allow NEOSYS to update Nagios=
=== Configuring Sonicwall firewall to allow NEOSYS to update Nagios ===

This is documented at [[Sonicwall_Firewall_Configuration#Configuring_Sonicwall_firewall_to_allow_NEOSYS_to_update_Nagios|Configuring Sonicwall firewall to allow NEOSYS to update Nagios]]

File:SSL.jpg

2014-10-21T11:33:26Z

Nikhil:

User talk:Arvind

2014-10-16T13:13:13Z

Nikhil: Welcome!

User:Arvind

2014-10-16T13:13:13Z

Nikhil: Creating user page for new user.

Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive
Arvind Prasad Software Support Executive

New Employee Training Checklist

2014-10-14T10:20:06Z

Nikhil: /* Day 1 */

==Day 1==
#Create email Id eg :- firstname.neosys@gmail.com
#Create Skype ID eg:- firstname.neosys
#Create thunderbird inbox’s support@neosys.com, backup@neosys.com, nagios@neosys.com
#Create signature in thunderbird
#Create password for the computer/laptop
#Mails are sent out in Calibri font with font size 11
#Password file:- This file contains all usernames and passwords. File name should be generic. The file is password protected, please refer link to create appropriate password for the file (http://techwiki.neosys.com/index.php/Procedures#Creating_and_Handling_passwords) .File should be placed under nested folders. The aim is to protect the file from being
#Create file to store client info ( clients details) column names:- host name, company name , location of company, time zone, which server is the NEOSYS hosted
#Make vm1.neosys.com as Firefox home page
#Go through Procedures in wiki
#Introduce nagios
#Read wiki page “Backup and Restore”
#Support suit login ID , wiki ID
#http://network-tools.com

==Day 2 ==
#Check the clients file
#Explain backup procedure
#Show backup emails
#Share backup files
#Make the candidate do the morning backup-check routine.
#Explain http://techwiki.neosys.com/index.php/Procedures#NEOSYS_Maintenance_Window
#Explain different backup failures
#Various checks on why and how a backup failed. ( mail in inbox, nagios trends, neosys log, server event viewer)
#Share canned file
#NEOSYS login page and configuring NEOSYS
==Day 3==
#Go through Canned mails.
#Show examples on when each canned mails can be sent
#Do backups for the day. Mark backup in backup file.
#Schedule downtime on nagios
#Various errors in Troubleshooting nagios to be looked at http://techwiki.neosys.com/index.php/Handling_Nagios_Client_Monitoring_System

==Day 4==
#Handle backup issues, critical issues on nagios
#Email clients if they need to be informed about issues.
#Explain Getting Started and NEOSYS login process
#Explain Media Schedule (per brand, Client Brand file, Vehicle file, specification, material, dates, free ads, Supplier file, booking, certifying, invoicing)
==Day 5==
#2 Assignments on Schedules ( booking, cancelation, rebooking, certify & invoicing )
#Creating on various client and brand , vehicle and supplier files
#Practice Media module
==Day 6==
#Handling damaged file with examples
#Quiz on Procedures, Nagios and Handling damaged files
==Day 7==
#Jobs Module completely and practice
#Explain Authorisation file (locks and keys, user ID , various levels etc)
==Day 8==
#How to Upgrade NEOSYS
#Upgrade a client
#Tested on TEST installation.
#Explain Zone edit, DNS
==Day 9==
#Free ads in Media schedule , how to replicate issues of clients
#Backup and Restoring NEOSYS
#Moving NEOSYS to new server/location etc
#Consolidated Backup ( Autologin.sh)
#System configuration file features and testing each field

==Day 10==
#Request for a quick demo from the new staff

Setting up and using remote support

2014-10-06T11:22:12Z

Nikhil: /* Upgrading Cygwin with server reboot */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrading cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

'''Suggested method to maintain connectivity during cygwin upgrade'''

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 8 which does not give this error. You must have the client server's administrator password to login using TeamViewer.

TeamViewer must be uninstalled after the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem echo --- PAUSING 10 SECONDS TO ALLOW SHARED DLLS TO UNLOAD --- >> %LOGFILE% 2>&1
ping -n 10 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECKING THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ### ### >> %LOGFILE% 2>&1
echo ### DO NOT KILL SSHD AND BASH PROCESSES IF YOU ARE CONNECTED ON SSH! ### >> %LOGFILE% 2>&1
echo ### OTHERWISE YOU WILL LOSE YOUR REMOTE CONNECTION AND NOT BE ABLE ### >> %LOGFILE% 2>&1
echo ### RECONNECT UNTIL SOMEONE RESTARTS SSHD ON THE SERVER BY ### >> %LOGFILE% 2>&1
echo ### USING COMMAND "SSHD NET START SSHD" ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script
</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.
See [http://techwiki.neosys.com/index.php/Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F How to check Cygwin version]

Login using tunnelier. If successful, close your Teamviewer on the server

==== Upgrading Cygwin with server reboot ====
TODO: To be revised

If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-10-06T11:19:39Z

Nikhil: /* Finding the script */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrading cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

'''Suggested method to maintain connectivity during cygwin upgrade'''

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 8 which does not give this error. You must have the client server's administrator password to login using TeamViewer.

TeamViewer must be uninstalled after the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem echo --- PAUSING 10 SECONDS TO ALLOW SHARED DLLS TO UNLOAD --- >> %LOGFILE% 2>&1
ping -n 10 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECKING THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ### ### >> %LOGFILE% 2>&1
echo ### DO NOT KILL SSHD AND BASH PROCESSES IF YOU ARE CONNECTED ON SSH! ### >> %LOGFILE% 2>&1
echo ### OTHERWISE YOU WILL LOSE YOUR REMOTE CONNECTION AND NOT BE ABLE ### >> %LOGFILE% 2>&1
echo ### RECONNECT UNTIL SOMEONE RESTARTS SSHD ON THE SERVER BY ### >> %LOGFILE% 2>&1
echo ### USING COMMAND "SSHD NET START SSHD" ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script
</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.
See [http://techwiki.neosys.com/index.php/Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F How to check Cygwin version]

Login using tunnelier. If successful, close your Teamviewer on the server

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up HTTPS

2014-10-02T10:33:37Z

Nikhil: /* Export, Save and Import Certificates */

== Creating a single HTTPS web site on Windows 2008 ==

Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the SSL utility is needed. This utility is already installed and available on NEOSYS servers.

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

[[image:sslwin2008-1.jpg]]

C:\Program Files\IIS Resources\SelfSSL>selfssl.exe /N:CN=NEOSYS-SERVER /K:1024 /V:9999 /S:8 /P:4430
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.

Do you want to replace the SSL settings for site 1 (Y/N)?y
Error opening metabase: 0x80040154
C:\Program Files\IIS Resources\SelfSSL>

*/n:CN='''hostname''' indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site is hosted on nl1/nl1b or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is hosted on the client server.
*/K:Key size. Use default 1024
*/V:9999 means valid for 9999 days
*/S:8 is the site number in this case (site number is shown in IIS management screen)
*/P:4430 is the non-standard port number NEOSYS uses by convention for SSL/HTTPS instead of the standard 443. 4430 can be replaced with custom port numbers in case the installation is on a NEOSYS server. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_site_in_IIS Creating a site in IIS on NEOSYS hosted server]

Ignore the '''Error opening metabase: 0x80040154'''

Next go to the IIS Manager and make sure the certificate was created and stored. Creating a certificate does not make it automatically bind to the website.

[[image:sslwin2008-2.jpg]]

Once you make sure it is created, then click on Sites > Default Website and in the right pane select Bindings:

[[image:sslwin2008-3.jpg]]

In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and press click on OK:

[[image:sslwin2008-4.jpg]]

Then test the site from explorer to make sure it works.

== Creating a single HTTPS web site on Windows 2003 ==

Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the ssl utility is needed.

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

then

[[Image:SelfSSL.png]]

C:\Program Files\IIS Resources\SelfSSL>selfssl /v:9999 /s:'''''866651215''''' /p:4430 /n:CN='''''hostname'''''
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.
Do you want to replace the SSL settings for site 866651215 (Y/N)?y
The self signed certificate was successfully assigned to site 866651215.

/v:9999 means valid for 9999 days
/s:'''''866651215''''' is the site number in this case (site number is shown in IIS management screen)
/p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443
/n:CN='''''hostname''''' indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site
is hosted on nl1/nl1b or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is
hosted on the client server.

You probably made a mistake in the site number if you get the following message.

Error opening site metabase key: 0x80070003

== Creating multiple HTTPS web sites on NEOSYS hosted server ==

=== Creating a site in IIS ===

All clients hosted on NEOSYS servers use the same IP address, but different unique HTTPS port numbers starting from 4431 onwards. Similarly HTTP ports are configured with unique port numbers starting from 8123 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.

==== Creating a site in IIS in Windows 2008 ====

A port binding for HTTP is already created while configuring IIS.

Follow the procedures as explained in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008 Creating a Site in Win 2008] and add a port binding for HTTPS.

==== Creating a site in IIS in Windows 2003 ====

The https options are only available after running selfssl (see below).

[[Image:httpadvancedwebsitesetup.png]]

=== Testing access to the new HTTPS web site. ===

Make a subdomain '''clientname'''.hosts.neosys.com

Open "https://'''clientname'''.hosts.neosys.com:44XX/neosys" in IE where 44XX is the designated port number

If you get certificate error:

#check that the selfsll /n:CN='''clientname'''.hosts.neosys.com matches the domain name used in IE
#install the certificate into the client computer (double click the padlock, view certificates etc)

Closing all internet explorer versions and restarting is necessary for installed certificates to become effective.
===Export, Remove and Import Certificates ===

This step applies to both Windows 2003 and Windows 2008.

The EXPORT/REMOVE/IMPORT stage is necessary where there are multiple https sites on one server since any subsequent SELFCERT seems to destroy all other sites done with SELFCERT that have not been exported/REMOVED/imported.

Exporting and Importing certificates in Windows 2008 is just one part of the step to add certificates to sites and you need to follow the usual instructions to "bind" the certificate to a particular site.

Certificates must be saved in d:\hosts\certificates preferably by name for easy reference otherwise by site number. If this is not done then if certificates need to be regenerated then you have the pain of supporting re-import of certificates by all users.

#Export the certificate to a pfx file from IIS Manager > Click on Certificate > Export (to d:\hosts\certificates - password to be set is in a text file in the same folder)
#Remove the certificate from IIS Manager
#Import pfx certificate back from IIS Manager
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option [[image:import-export.jpg]] 

==Setting up HTTPS for installations with more than 1 database==

In cases where there are multiple databases within the same installation, the website can be made accessible via different URLs, one for each database, like database1.hosts.neosys.com and database2.hosts.neosys.com, though they will finally be pointing to the same website. In order to assign multiple URLs to the same website, simply repeat the steps for Creating a Single website in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2003 Windows 2003] or [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008 Windows 2008] for each HTTPS URL that is required.

== Troubleshooting setup of multiple HTTPS websites ==

SelfSSL allows only one website to have SSL at a time in Windows 2003. However to avoid any issues in the future the solutions below have been provided for both Windows 2003 and 2008.

=== Re-installing Certificates ===

Sometimes due to an unknown issue, site/s stop working and hence there is a need to re-install the site certificate.

===== Re-installing Certificates from saved PFX files =====

#Unbind the certificate from the site
#Remove the certificate from IIS Manager
#Import pfx certificate back from IIS Manager
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option [[image:import-export.jpg]] 
#Rebind the certificate

===== Re-installing Certificates from selfssl =====

TODO

If users have installed certificates in their browsers then they will have to reinstall them again to avoid the usual "certificate not trusted/matching" type problems.

Checklists

2014-10-02T10:23:53Z

Nikhil: /* Instructions for filling checklists */

==Instructions for filling checklists==

* Steps that do not apply to NEOSYS-hosted server have a star next to its corresponding checkbox.
* Tick only the checkboxes of the steps that are completed.
* If a step is carried out differently from what is mentioned in the checklist, the reason for this must be specified as comments at the bottom of the checklist. These comments must be numbered as C1, C2 etc, and these comment numbers should be mentioned in the checkbox next to its corresponding step.

== Windows 2003 Installation ==

[[Media:Windows 2003_New_Installation_Checklist_with_remote_support.doc|New Installation Checklist with remote support]]

[[Media:New_Installation_Checklist_(Finance_only)_&_without_remote_support.doc| New Installation Checklist (Finance Only) & without remote support]]

== Windows 2008 Installation ==

[[Media:Win 2008 New Installation Checklist.doc|New Installation Checklist]]

== Shifting Servers ==

[[Media:Shifting_servers_Checklist.doc|Shifting Servers Checklist‎]]

Setting up and using remote support

2014-10-02T07:29:32Z

Nikhil: /* Upgrading Cygwin remotely */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrading cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

'''Suggested method to maintain connectivity during cygwin upgrade'''

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 8 which does not give this error. You must have the client server's administrator password to login using TeamViewer.

TeamViewer must be uninstalled after the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.
See [http://techwiki.neosys.com/index.php/Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F How to check Cygwin version]

Login using tunnelier. If successful, close your Teamviewer on the server

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-09-30T11:01:03Z

Nikhil: /* Verifying successful run */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrade cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 8 which does not give this error. You must have the client server's administrator password to login using TeamViewer.

TeamViewer must be uninstalled after the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.
See [http://techwiki.neosys.com/index.php/Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F How to check Cygwin version]

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-09-30T10:56:19Z

Nikhil: /* Upgrading Cygwin manually */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrade cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 8 which does not give this error. You must have the client server's administrator password to login using TeamViewer.

TeamViewer must be uninstalled after the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.
See [http://techwiki.neosys.com/index.php/Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F How to check Cygwin version]

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-09-30T05:41:48Z

Nikhil: /* Changing user on Cygwin= */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrade cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 8 which does not give this error. You must have the client server's administrator password to login using TeamViewer.

TeamViewer must be uninstalled after the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-09-29T12:35:36Z

Nikhil: /* Upgrading Cygwin remotely */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrade cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 8 which does not give this error. You must have the client server's administrator password to login using TeamViewer.

TeamViewer must be uninstalled after the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin===

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-09-29T12:26:24Z

Nikhil: /* Upgrading Cygwin remotely */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained below.

To maintain connectivity while upgrade cygwin, you can use:
*VNC server
*direct RDP connection
*directly on the server
*TeamViewer started manually on the server

You cannot use:
*Standard NEOSYS remote support connection using RDP/cygwin/sshd
*TeamViewer Quickstart started using a standard NEOSYS remote support connection.
*TeamViewer 9 due to the issue explained below

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer with unattended access TEMPORARILY to do the upgrade.

'''TeamViewer 9 issue'''

When attempting to connect to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 8 which does not give this error.

TeamViewer must be uninstalled afterward the upgrade because it is not secure and NEOSYS has no way to manage TeamViewer to limit connections by IP number like cygwin sshd.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available onsite to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin===

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

File:TVerror.jpg

2014-09-29T12:23:05Z

Nikhil: uploaded a new version of "File:TVerror.jpg": Error message that comes up when trying to connect to client server via TeamViewer 9.

Error message that comes up when trying to connect to client server via TeamViewer 9.

File:TVerror.jpg

2014-09-29T12:19:36Z

Nikhil: Error message that comes up when trying to connect to client server via TeamViewer 9.

Error message that comes up when trying to connect to client server via TeamViewer 9.

Setting up and using remote support

2014-09-29T11:30:36Z

Nikhil: /* Upgrading Cygwin with server reboot */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use but only if a reboot is performed and perhaps some cygwin packages reinstalled.

You can use:
*vnc server
*direct rdp connection
*directly on the server
*teamviewer started manually on the server

You cannot use:
*standard NEOSYS remote support connection using rdp/cygwin/sshd
*teamviewer started using a standard NEOSYS remote support connection.

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer *temporarily* to do the upgrade.

Teamviewer must be uninstalled afterwards because it is not secure because NEOSYS has no way to manage TV to limit connections by IP number like cygwin sshd in the same way.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available onsite to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin===

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-09-29T08:29:53Z

Nikhil: /* Verifying successful run */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use but only if a reboot is performed and perhaps some cygwin packages reinstalled.

You can use:
*vnc server
*direct rdp connection
*directly on the server
*teamviewer started manually on the server

You cannot use:
*standard NEOSYS remote support connection using rdp/cygwin/sshd
*teamviewer started using a standard NEOSYS remote support connection.

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer *temporarily* to do the upgrade.

Teamviewer must be uninstalled afterwards because it is not secure because NEOSYS has no way to manage TV to limit connections by IP number like cygwin sshd in the same way.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available onsite to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

''Note -'' If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin===

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-09-29T08:09:33Z

Nikhil: /* Upgrading Cygwin remotely */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
TODO correct mentions of server reboot

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use but only if a reboot is performed and perhaps some cygwin packages reinstalled.

You can use:
*vnc server
*direct rdp connection
*directly on the server
*teamviewer started manually on the server

You cannot use:
*standard NEOSYS remote support connection using rdp/cygwin/sshd
*teamviewer started using a standard NEOSYS remote support connection.

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer *temporarily* to do the upgrade.

Teamviewer must be uninstalled afterwards because it is not secure because NEOSYS has no way to manage TV to limit connections by IP number like cygwin sshd in the same way.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available onsite to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

''Note -'' If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin===

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

Setting up and using remote support

2014-09-29T08:07:37Z

Nikhil: /* Finding the script */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands:

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:

Privilege – YES
New local sshd account - YES
Install SSHD as a service - YES
Enter value of daemon - press enter (not "ntsec" as it used to be)
Different name - NO
Create new privileged user - YES
Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===
NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use but only if a reboot is performed and perhaps some cygwin packages reinstalled.

You can use:
*vnc server
*direct rdp connection
*directly on the server
*teamviewer started manually on the server

You cannot use:
*standard NEOSYS remote support connection using rdp/cygwin/sshd
*teamviewer started using a standard NEOSYS remote support connection.

Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer *temporarily* to do the upgrade.

Teamviewer must be uninstalled afterwards because it is not secure because NEOSYS has no way to manage TV to limit connections by IP number like cygwin sshd in the same way.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available onsite to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

===== Running the script =====

Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:

Assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

<pre>
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06
set TOEMAIL=support@neosys.com
set CYGWINBIN=c:\cygwin\bin
set CYGWINDLL=cygwin1.dll
set LOGFILE=upgradecygwin.log
set RESULT=

if exist %LOGFILE% del %LOGFILE%
echo LOG OPENED > %LOGFILE% 2>&1
date /t >> %LOGFILE% 2>&1
time /t >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo This is %THISIS% >> %LOGFILE% 2>&1
echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1
echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1
echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1
echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1
echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1
if not exist wget.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1
echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
echo ok found >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1
if exist setup-x86.exe (
del setup-x86.exe >> %LOGFILE% 2>&1
echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1
) else (
echo ok not found>> %LOGFILE% 2>&1
)

echo . >> %LOGFILE% 2>&1
echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1
wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1
if not exist setup-x86.exe (
set RESULT=FAILURE
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1
echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
echo ############################################################## >> %LOGFILE% 2>&1
goto emailandexit
)
rem dir setup-x86.exe >> %LOGFILE% 2>&1
echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1

echo . >> %LOGFILE% 2>&1
echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1
net stop cygwinrsync >> %LOGFILE% 2>&1
net stop exim >> %LOGFILE% 2>&1

echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1
net stop sshd >> %LOGFILE% 2>&1

echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1
taskkill /f /im sshd.exe >> %LOGFILE% 2>&1
taskkill /f /im bash.exe >> %LOGFILE% 2>&1

rem seems to leave actual services running
rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1
rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1

rem delay three seconds to ensure all stopped/killed
ping -n 3 127.0.0.1 > null

echo .>> %LOGFILE% 2>&1
echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1
set BACKUPDLL=cygwin1BACKUP.dll
if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL%
copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL%
del %CYGWINBIN%\%CYGWINDLL%
if exist %CYGWINBIN%\%CYGWINDLL% (
set RESULT=FAILURE
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1
echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1
echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
echo ############################################################################# >> %LOGFILE% 2>&1
goto skipupgrade
)
ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL%
if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL%
echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1

rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ###
echo . >> %LOGFILE% 2>&1
echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1

:skipupgrade

echo . >> %LOGFILE% 2>&1
echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1
net start sshd >> %LOGFILE% 2>&1

echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1
net start cygwinrsync >> %LOGFILE% 2>&1

echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1
%CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1

:emailandexit

echo . >> %LOGFILE% 2>&1
echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1

echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par
echo smtphostname=mailout.neosys.com>> upgradecygwin.par
echo smtpportno=2500>> upgradecygwin.par
%CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par
dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par

echo . >> %LOGFILE% 2>&1
echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1
time /t >> %LOGFILE%
start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%"

echo . >> %LOGFILE% 2>&1
echo --- CLOSING LOG >> %LOGFILE% 2>&1

rem end of script

</pre>

====Upgrading Cygwin manually ====

Install Teamviewer (will be commercial on server) and allow unattended access.

Note the Teamviewer number and password during installation.

Logout of tunnelier.

Connect on teamviewer using the number and password

In command console type the following commands:
<pre>
net stop sshd
net stop cygwinrsync
net stop exim
</pre>

In task viewer, ensure no bash or ssh processes and kill any such processes.

Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”

If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See [[Setting_up_and_using_remote_support#Changing_ssh_login_from_.E2.80.9CAdministrator.E2.80.9D_to_.E2.80.9Cadministrator.E2.80.9D|Changing ssh login from “Administrator” to “administrator”]])

In command console type the following commands:
<pre>
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
</pre>

Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
<pre>
net start sshd
net start cygwinrsync
net start exim
</pre>

Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

Login using tunnelier. If successful, close your Teamviewer on the server

Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

==== Upgrading Cygwin with server reboot ====
If not already done, rename Windows “Administrator” user to “administrator” before upgrading

Connect using usual NEOSYS remote support.

Follow the usual cygwin installation procedure.

If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.

If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below.
You can ignore them.

"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"

Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.

Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.

<pre>
Package: base-cygwin
Package: coreutils
Package: bash
Package: terminfo
Package: _update-info-dir
Package: base-files
Package: colordiff
Package: man
Package: terminfo0
Package: vim
Package: wget
</pre>

Reboot the server

Reinstall Bash and check that you can connect using usual NEOSYS remote support.

*The login user name might be changed to "Administrator" instead of "administrator".
*If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.

Reinstall any problematic Cygwin packages
#Select View: "Up to date"
#"Keep" to "Reinstall" for the packages listed in the previous section.

Check that you can run the ls command in a cygwin command prompt window.

Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.

For eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

''Note -'' If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version.

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Getting Ownership and Permissions Correct ==

Installation of cygrin under domain administrator account needs to be fixed as follows:

#c:\cygin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin===

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.