Posts made by 1337

@scottalanmiller said in ps2 to usb adapters:

No, I was thinking of the PS/2, I was just wrong. There's a difference between confused and wrong. LOL

Happens to everyone

@scottalanmiller said in SSH jump server access control?:

@Pete-S said in SSH jump server access control?:

It's very common to limit network access on a user basis, I just didn't know how it was done on an ssh jump server.

Not that common, even on Wall St. and Federal Government I've never seen it used. So much complication for essentially no value. Since you already limit by user, what additional benefit does it add? In theory, it's a MFA that says "X user will only exist at Y address" and yes, that's not a non-zero value. But it's a really low value. In the modern world, being able to limit users to a pre-determined set of network addresses AND correctly identifying those addresses (instead of identifying the jump server for example) is both impractical and ineffective. Exceptions exist, but it's... weird.

Nowadays we see it all the time when given access to enterprise server infrastructure. Everything is completely locked down to just the IPs and ports needed. That wasn't the case say 5-6 years ago.

So it seems standard to me, but who knows? They probably have it in their admin tools so no extra work needed. I highly doubt there is any manual work involved.

@siringo said in New server q's:

Those last 2 posts are spot on Scott.

If I were to deploy a solution that was different to what everyone else was deploying, even if it was cheaper, better, faster, more resilient etc, I'd be lambasted by others simply because it was different and more likely, not understood.

That can lead to unhappy management, which can then lead to all sorts of grief for me.

This is obviously, not what I want.

Thanks for all the info & advice, it is greatly appreciated.

So you should buy the same old server model from 2016 to stay consistent with what they currently know

@JaredBusch said in SSH jump server access control?:

Blocking by user sounds like a complete fucking mess.

Why not just add TOTP based 2FA to your ssh or something? It is available on pretty much everything.

You have key based auth only access already right? How much cost are you wanting to add here? Versus how much actual risk?

I mean the only purpose of this is to protect from a compromised internal user that uses ssh. The threat level should mean something extremely targeted is already the only credible attack vector.

A lot of threats are internal. But internal could also mean contractor or another external party. Or someone getting hold of their credentials, like in the uber attack (search "mfa fatigue").

It's very common to limit network access on a user basis, I just didn't know how it was done on an ssh jump server.

PS. I actually think outgoing access control can be done in the jump servers sshd_config directly. Keywords are ProxyJump, PermitOpen, Match on user and disable shell.

In theory the jump server can then only be used to jump to other servers and only the ones that are allowed for each user.

@pattonb said in ps2 to usb adapters:

@IRJ correct, You can buy these for about $2.00 ( from China), as I just did, and will
see how well they work.

You should try it thoroughly. Some scancodes (=id of the key) hust doesn't work with some adapters - for no good reason I might add..

@scottalanmiller said in ps2 to usb adapters:

@pattonb said in ps2 to usb adapters:

Does it make any sense, to cut off the ps2 end, and replace with usb ?

USB is a wholly different technology than PS/2. One is digital, one is analogue.

No, they're actually both digital. And serial communication as well.

Your probably thinking about vga versus dvi/hdmi.

I also came across Teleport which is especially intended as a jump server.

I've seen it before but never had closer look.

@scottalanmiller said in SSH jump server access control?:

Using /etc/ssh/sshd_config you can limit a user's access TO the jump system in the first place before they can access anything on the network.

I'll have a closer look at the config file.

I know you can disable tunneling and such things. And I want limits on who is allowed to use the jump server.

@scottalanmiller said in New server q's:

@siringo said in New server q's:

That was when we were being taught about x86 server systems such as NT and NetWare, not OSs such as VMS, Unix, OS400 etc.

Yes, non-enterprise systems had a very brief window ONLY WHEN deployed on IA32 (x86) architecture (aka non-enterprise) hardware where hardware RAID made sense for performance reasons.

Even then, it's important to note that hardware RAID was very, very rarely faster. Pentium Pro and Pentium 2 procs were faster BUT were resource constrained. So even though they could do RAID processes faster, the RAID card gave us additional processing power and additional RAM. That was important because it was an era when we were often limited by the total amount of CPU and RAM that we could buy for those kinds of devices. It wasn't that hardware RAID was faster than software RAID, it was that hardware RAID represented a means of adding more CPU and RAM to the total when we just weren't able to get enough.

THe Pentium III had so much more cache, faster RAM controller, and the ability to address to much RAM that we weren't constrained by the hardware anymore, but by the cost to grow it as big as we wanted (and you could afford main CPU and RAM before you could afford equal improvements from a hardware RAID card.)

I like to think of these as the era when CPUs had frequencies in the MHz range.

When we got to the GHz range the overhead of bit calculations for RAID started to be come minuscule.

Now with NVMe SSD drives connected directly to the CPU on the PCIe bus, the RAID adapter has become obsolete.

@triple9 said in SSH jump server access control?:

@scottalanmiller Pete-S wants control once user is logged in or I misunderstood request? IPtables kicks in when user jumps to destination server.

Yeah, I want to control what IPs and ports the user is allowed to access once logged in.

I don't want unautherized users to be able access anything except what they are allowed to.

PS. Had a look at --uid-owner on iptables and it seems like it could be used to limit network access on a user by user basis.

We actually use debian and iptables is now replaced by nftables, but I'm sure it has similar capabilities.

@scottalanmiller said in SSH jump server access control?:

@Pete-S said in SSH jump server access control?:

Or is there a possibility to limit network access depending on the user account as well?

This is complex because in the case of a jump box, everyone's IP is the same... it's the IP of the jump box. The source of the jump is unknown to anything after the jump. That's part of the point to give everyone the same IP address so that you can limit ALL connections to that one IP (or set of IPs.)

The VPN approach is far less secure. The jump box would already be more secure than the VPN with IP restrictions. In that spirit, yes, you can restrict anything to the IP of the user and meet the stated requirement (assuming it's a political thing) AND increase security while doing so.

Weird and clearly not what people mean, but so often security "rules" are made without any security in mind and that would apply here.

The point of security measures is to give access only to what they need - least privilege. So to give jump box users access to the entire network makes no sense, unessesary risk.

I can't see how a VPN solution would be less secure than a ssh jump box. That makes zero sense to me. They are effectivly the same - encrypted links / tunnels. A ssh jump server would be more practical in a lot of cases though.

So the question is just how to restrict network access on a user by user basis. If you can't do it in the jump server directly, you could potentially have several jump servers for different users.

@scottalanmiller said in SSH jump server access control?:

@Pete-S said in SSH jump server access control?:

Or is there a possibility to limit network access depending on the user account as well? If that is the case, how is that done?

I bet you can, but we don't. So I'm not sure how. Generally you assume that access "to" the jump box means it is a trusted person already, then the additional access to the next device is limited to user access rather than network access. It's not that you trust them completely, but you don't limit their ability to launch a DoS attack or something at a network level.

When we use VPN for remote access, each user is assigned his own unique IP address. Network access is then controlled by network firewall rules.

I was thinking about how to replicate that with a ssh jump server. We need that type of access restriction.

@Pete-S said in New server q's:

But it depends on the specific CPU. The number of memory channels on the CPU determines how many RAM modules you need.

Typical small servers today, like Dell R240, use Intel E2200 series CPUs.

They have two memory channels and can take 4 DIMM modules in total. So you should have either 2 or 4 DIMMs in these servers.

In the case of R240, the smallest supported RAM config would 2 x 8GB and the largest would be 4 x 16GB. Speed would be the same.

If you buy Dell they will help you get it right though.

@siringo said in New server q's:

A while ago I got help with RAM. One of the kind folks here explained to me that the server I was talking about (at that time) required a certain number of RAM sticks as the address bus was ???? bits wide.
As an example of what I mean, the server had 32GB of RAM and I got that from 2 x 8GB and 1 x 16GB. From memory the advice was I should have used 4 x 8GB sticks.
Can anyone confirm that for me??

What you were doing is called an unbalanced memory configuration and slows down the memory with 50%.

But it depends on the specific CPU. The number of memory channels on the CPU determines how many RAM modules you need for 100% performance.

So you have to search whatever CPU you want to have and you'll see how many memory sticks you need. The motherboard determines how many sticks you can use in total.

So a CPU with 4 memory channels should be configured with 4, 8, 12, 16 etc modules. This info is usually in the users manual as well.

@siringo said in New server q's:

My main question is what RAID level are people using these days & if I chose a server with spinning disks, would I look like an idiot who didn't know anything?

In 2022, yes you'd look like an idiot. SSDs are much faster and have significantly high reliability (server grade SSDs).

3.5" spinning disks for bulk storage is a very good use of magnetic media however.

RAID1 (mirror) of SSDs is all you need. It will outperform any spinning disk configuration. So 2 x 2TB SSD in your case.

If you want high performance you should use NVMe SSDs and software RAID.

Assume you have a ssh jump server so that users can access your server infrastructure throught it.

How is access control implemented?

Do the users actually have network access to your entire infrastructure but are only able to login to the servers where they actually have working credentials?

Or is there a possibility to limit network access depending on the user account as well? If that is the case, how is that done?

@dafyre said in Edge works, Chrome does not -:

Check that Chrome doesn't have some kind of proxy settings configured?

+1

I'd install Firefox as well to see if it works or not. And maybe Brave since it's also based on chromium.

@scottalanmiller said in Scott Alan Miller Vlog - My Daily Life in Central America:

@Pete-S said in Scott Alan Miller Vlog - My Daily Life in Central America:

I'm thinking about having a channel but it seems like it would require a substational time commitment.

So, yeah, for one like this, for sure. I turn out two videos per day. One is long and comes out like clockwork at 9am Eastern for coffee and donuts time. The vlog format makes it "easy" once you get used to it, the editing is very light.

My TakeFlight shows take maybe 20-30 hours of editing to produce a 10-20 minute episode and come out once every several months. So totally different amount of effort. It REALLY depends on your workflow and editing needs for an episode.

This channel is designed around making it easy to produce. BUT, some stuff like the episode being made today or the one made last Saturday (the parade going live in two days) took many, many hours to record because I had to travel, film events, etc. I've been filming all morning today and am just prepping to go film with my lawyer all afternoon.

Awesome info Scott. Thank's for sharing.

@scottalanmiller
You make interesting videos Scott! And with a consistent output! Keep up the good work!

How many hours of work is it to turn the raw footage from a video, like this one, into the finished product ready for upload?

I'm thinking about having a channel but it seems like it would require a substational time commitment.

@JaredBusch said in KVM networking with libvirt (virsh) questions:

I assume that Debian 11 uses NetworkManager? I don't have a clean Debian system running KVM to check.

If so nmcli and its related commands are your friend.

Thanks Jared.

Reading about nmcli and seeing your screenshots led me to understand that macvtap devices are only active when the VM is actually running.

Using ip link I can now see the macvtap device on the host. One for each VM connected.