@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@jaredbusch said in CentOS7 Server Apache Disable old TLS for higher versions:

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@DustinB3403 I really like this site for information on securing various web servers.

https://cipherli.st/

I just implemented their Nginx setting but getting back that TLSv1 was accepted?

https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com

First line should read TLS1.2 if you don't have a version of Nginx that supports 1.3.

Correct. That is the only change I made to their config. I even reran dhparam

Via the ActiveDir list:

https://github.com/CarlWebster

There are some amazing scripts in there for ADDS but also for XenApp, NetScaler, Citrix, and others.

Site: https://carlwebster.com/downloads/download-info/active-directory-2/

@jaredbusch said in mailto alternative for systemd timers:

I would recommend writing the script to take parameters. Because then it is generic and you can plug it in on every system as part of the system setup process.
https://tecadmin.net/pass-command-line-arguments-in-shell-script/

Here's a template that I loosely follow for this:

#!/bin/bash #Script functions function script_help () { echo " Usage: $(basename $0) [options] -a word -a Echos the word you type -h this help text Example: $(basename $0) "-a word exit ${1:-0} } function thing () { echo $variable } #Show help if no arguments or options are passed [[ ! "$*" ]] && script_help 1 OPTIND=1 #Read command line options # A colon after a flag means it takes an argument while getopts "a:ih" opt; do case "$opt" in a) variable=$OPTARG ;; h) script_help ;; \?) script_help 1 ;; esac done shift $(($OPTIND-1)); #Run argument function thing

In this case, it calls the thing function on the argument from the -a flag and also has a help function.

I use wordpress with Wocommerce, integrates with paypal and stripe.

@mroth911 said in How to make 3 node cluster like Scale:

I Understand now. so i wanted to build something that is like "SCALE" meaning the vm's with failover and I can spin up a vm fast. just to understand the technology.

I heard of KVM. Never played with it yet.

KVM is the hypervisor behind Scale (and loads of others.)

So the things you want from your setup are a tiny function of what Scale does. All you are looking for is "high availability virtualization" which is a massively broad category. Scale does it in a very specific way, that is very good. But it's a cat and there are many ways to skin it. Some good, some bad, some just different.

@fateknollogee said in Unifi on Vultr: you 'has mad skillz?:

I don't quite get your answer..does that mean it's too easy or it's not worth the effort?

Basically yes, it is not worth the effort. You can setup apt to update automatically yourself quite trivially.

The same for Let's Encrypt.

Reskimming, I am not sure WTF he is doing with lighttpd I would need to look closer.

But the scripting of the backup to a third party site is going to be totally custom to every install. This is way too complex to setup in a simple script.

It works for him because everything is tied to the Google account.

@stacksofplates said in Remote management of VMs hosted in colocation:

@dashrender said in Remote management of VMs hosted in colocation:

@stacksofplates said in Remote management of VMs hosted in colocation:

@scottalanmiller said in Remote management of VMs hosted in colocation:

@stacksofplates said in Remote management of VMs hosted in colocation:

@scottalanmiller said in Remote management of VMs hosted in colocation:

@eddiejennings said in Remote management of VMs hosted in colocation:

Allowing an SSH connection to the managementVM from the Internet

I have not tried this approach yet, and it appears more risky than the Screen Connect approach, since SSH to that VM would be open to the Internet. Unless I'm missing some benefit to this approach, I'll not be using it.

Use a strong key, lock to your IP. Very safe. Add Fail2Ban, of course.

Or add Salt and open/close based on need so it doesn't stay open.

Fail2ban doesn't work with keys.

But it would work normally with people attacking using non-keys, would it not? Or am I missing something about what it would do?

Why would you not require keys? Not making them mandatory defeats the purpose of using them.

I think he means - if a hacker is trying to use a password on a system setup to only allow keys - the fail2ban will block those users, or won't it?

No. It's dropped before fail2ban even sees it.

Oh, makes sense. There is no "attempt" like with a password, it is "already blocked."

@scottalanmiller said in What are you using for Documentation?:

@dashrender said in What are you using for Documentation?:

@scottalanmiller said in What are you using for Documentation?:

@wirestyle22 said in What are you using for Documentation?:

@scottalanmiller said in What are you using for Documentation?:

@wirestyle22 said in What are you using for Documentation?:

@scottalanmiller said in What are you using for Documentation?:

@wirestyle22 said in What are you using for Documentation?:

@wrcombs said in What are you using for Documentation?:

I use Google Docs, and the ticketing system ; Im the only one who does write ups on things I think we need to know more about, or are things that will be needed in the future.

I/We don't use any fancy third party software for documentation.

We have infrastructure (Me), DevOps, Desktop Support. I think one person from each team should be responsible for technical documentation. I'd prefer for it to be me but I also have a lot on my plate.

How do you separate infrastructure and DevOps? DevOps is for managing infrastructure.

Infrastructure team is really networking team

Infrastructure teams normally refers to the non-networking ones. Although networking is obviously infrastructure. But SA is normally core infrastructure teams. Enterprise jobs labeled infrastructure are not networking.

Yeah that's just what they are calling us. Not very helpful for me to use the name here though as it's confusing for you guys

You are doing networking now? So mostly switches, routers, routing tables, firewall rules?

What jobs are in that other infrastructure department you're talking about?

System Admin, System Engineering, DevOps, App Support, DBA

Basically this

The size difference on files on my computer was an issue with dropbox on the latest version of Win10. I used my mac to download all files and then moved the Dropbox folder inside OneDrive and got all synced. Apart from some files not being synced all looks good now. I am almost ready to cut Dropbox, part of that I already switched from yearly plan to monthly (was due for renewal on sep), just keeping it a month or two more to finalize.

With the new option of getting MS offoce on unlimited devices and concurrent sign in to 5 devices with the O365 plan ( https://techcommunity.microsoft.com/t5/Office-365-Blog/You-re-about-to-get-even-more-from-your-Office-365-Home-or/ba-p/234907) along with smart sync, I guess its a great deal

@tonyshowoff said in Which Cloud Company Should Get The JEDI Contract?:

Yes it starts with a choice of good companies, but soon enough they'll leave after having to deal with technically incompetent committee members who don't understand what a scope is and the only ones left will be companies absolutely incapable of doing the job.

I can't upvote this enough. This is supposed to pay $10b. I will bet dollars to donuts that whoever gets the contract will A) lose money and B) have about 10 deadline extensions.

And after all that, it will be slapped together and almost unusable because of the red tape and ever moving goal posts of the scope of work.

@manxam said in New Tablet Search:

@scottalanmiller said in New Tablet Search:

Yeah, I get all that. But this is definitely just "normal USB", as it is a normal computer. Concepts unique to mobility don't apply here. So either OTG is a reference to all USB, or it's not applicable here. You would never call the USB port on your laptop or desktop OTG, and unless you do, you don't here.

But it's not a normal computer, it's a hybrid tablet running a Mobile/Tablet only OS utilizing a similar architecture to Android but with Chrome as it's UI instead of android.view/android.webkit.

Not really, it's running a desktop OS, ChromeOS. It's not similar to Android at all, it is in fact nothing but a normal laptop with no included keyboard. It's as much a desktop style device as any desktop you'd ever use. That the form factor is called a tablet is misleading, it would be like calling an iMac a tablet... the only difference between the two is one has a stand included, and one doesn't.

There is nothing "mobile" about this device. Other than it is easy to be mobile with it. Under the hood, it's identical to some of the world's most popular laptops, just with a keyboard sold separately.

Still not showing available.

0_1538331440965_38360ee2-b681-47f7-a178-b759045f012b-image.png

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@dbeato said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@dbeato said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

Computers in a domain are not syncing time with the Domain Controller (Hyper-V). They are all set to the local CMOS clock.

I had to restrict the ability for local users to change time by themselves. Is the GP that I created preventing the computers from syncing to the domain?

0_1538061340847_1.png
0_1538061350915_2.png

The time can be in different zones and not affect connectivity to the domain as long as it is 5 minutes from the DC time via UTC. Now I would really make the computers to just point to the DC as their NTP Server instead of anything else.

I thought they did by default in a domain.

They should but it is not enforced.

What do I need to do to enforce it? Or point them to the DC to use?

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@dbeato said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@dbeato said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

Computers in a domain are not syncing time with the Domain Controller (Hyper-V). They are all set to the local CMOS clock.

I had to restrict the ability for local users to change time by themselves. Is the GP that I created preventing the computers from syncing to the domain?

0_1538061340847_1.png
0_1538061350915_2.png

The time can be in different zones and not affect connectivity to the domain as long as it is 5 minutes from the DC time via UTC. Now I would really make the computers to just point to the DC as their NTP Server instead of anything else.

I thought they did by default in a domain.

They should but it is not enforced.

What do I need to do to enforce it? Or point them to the DC to use?

Enforce the time source on the DC
https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

For clients look at this one
https://www.altaro.com/hyper-v/configuring-time-synchronization-for-all-computers-in-windows-domain/

And here it is, subscription Windows licensing seen in the wild.

@mangogeorge

I wonder if you could grab the cab file without needing to get it from the iso

https://github.com/Microsoft/dotnet-framework-docker/blob/master/3.5/runtime/windowsservercore-ltsc2016/Dockerfile

the download URI used in the script does seem to be specific to ltsc2016, but I wonder if that matters

@hobbit666 said in Monitoring low level server hardware health:

Might depend on the Server and what they have built in.

Dell have the iDRAC that you can log onto and look at hardware logs. (Not sure if you can setup E-mail alerts been a while since i've used one)

The new ones you can since version 7 I believe.

@manxam said in Domain controller server 2012:

As per the above but to migrate the desktops, use Transwiz. Takes 1 minute to migrate the user profile from the old domain to the new.

That's the one that I was thinking of when I saw the post. Just didn't have the chance to post.

The above works really well.

@hobbit666 said in Free RMM Tool Syspectr:

@stuartjordan said in Free RMM Tool Syspectr:

Just come across this RMM tool, has anyone heard or used it.
just giving it a whirl now, its developed by a company in Germany.

https://www.syspectr.com/en/

My only concern if it's truly free what's the catch? How are they paying for the Servers the clients talk to?

Its a marketing product to sell...

https://www.oo-software.com/en/products