@scottalanmiller said in What do you think about .app domain names?:
If it is under the hood, why bother. If it isn't under the hood, I think customers get confused.
So you mean if it's customer facing it's better to stick to .com and there will be no confusion?
@dashrender said in What do you think about .app domain names?:
here's a question - does it even matter?
There was a time when .net was only for ISPs (or at least that's what I recall reading), but is that case now? heck no.
TLDs rarely if ever stay within their "specified" purposes.
Heck, just look at this site - mangolassi.it - .it - as in an Italian website, but we definitely aren't that.
Long run - normal people have no idea what the purpose of a TLD is other than it's part of the name of the website they are visiting.
Among IT pros there might not be much difference. But I think it depends on what it was. If it was mangolassi.ru would you be as likely to visit?
But I don't know about business users. If they think it's odd and suspicious it might have some negative effect.
@scottalanmiller said in Staying at your shitty employer is your fault:
And what's the market size? If you work remotely, the market is global. If you don't work remotely, the market is as big as you feel like claiming a commute would be. Everyone has different ideas of what a market is.
To some people 40 miles is a reasonable commute and the market is a metro or more. To others, a market is a country. To others, a market is only a neighbourhood in which you can get easy public transportation.
Or just a similar time zone, like a couple of hours difference either way.
What do you think about .app top level domain names? Yay or nay?
Are they suitable for a SaaS application? Or is it more intended for mobile apps?
And is anybody actually using the them? I know that are many registered but I can't seem to remember actually seeing any examples of *.app domain names.
.app is also on the HSTS preload list, which means that it requires https. So I assume that means that if someone enters example.app in their browser it will automatically look at port 443.
@jimmy9008 said in Cloudflare Spectrum alternative:
One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.
It's very common for global companies to use VPN for contractors to access internal systems. You need to set up some kind of on/offboarding process though.
Having been on the contractor side we usually get NDAs, a list of security compliance things that need to be fulfilled and then VPN client software, credentials, MFA, hardware tokens etc. But I've also seen complete VMs delivered and even ready to use laptops for remote system access.
Most contractors I know run a VM for each customer for example using virtualbox or vmware workstation. Then you have a clean OS and whatever software needed for remote system access. It's usually the easiest way to handle many customers with different requirements.
@dashrender said in New customer - greenfield setup:
@jaredbusch said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
Should they go DNS filtering or NGFW with filtering subscription?
2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.
I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.
Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.
That's just the thing. You need to block that crap.
My general rule is to block everything outgoing except 80 (for redirect purposes) and 443. Then open up as needed.
About 6 months ago Zoho updated their Admin Console for Zoho Mail.
It was mostly a user interface refresh, or so it looked like.
What Zoho didn't mention is that they actually added the ability to have DMARC reports analyzed automatically and view the statistics.
If you have Zoho Mail (paid plans only) the reports are here:
https://mailadmin.zoho.com/cpanel/reports.do#reports/dmarc/failure
Documentation is here:
https://www.zoho.com/mail/help/adminconsole/organization-email-reports.html#alink5
To get these reports you have to have SPF, DKIM and DMARC set up on your domain with reporting enabled.
You should have a DNS TXT record on your domain called _dmarc.
For example set to: v=DMARC1; p=reject; rua=mailto:[email protected]
It looks like Zoho is snooping up reports automatically, if the receiving email set above is in your domain. We use [email protected]
For those that don't know, DMARC reports are the only way to detect if someone is using your domain to send out spam or malicious emails that looks like they came from your domain. Or if an email server is sending out emails that are legitimate but misconfigured - often causing the emails to end up in spam or rejected. Without DMARC reports you would never know if that happened.
The actual DMARC reports are xml files that are emailed back to you from other email providers, like Microsoft or Google. They provide information on how the receiving end analyzes incoming email looking at your DNS records for SPF, DKIM and DMARC settings and compare that to what is in the actual email.
Well, normally your email provider can't help you with this.
You need to sign up with a third-party service to analyze your DMARC reports. And then they would provide the statistics for you.
Hopefully Microsoft, Google etc will follow suit and provide analysis directly in their mail admin panels.
@jaredbusch said in beyond bash shell scripting, what language should I use:
So I have a need to move a few scrips beyond basic bash shell scripts.
Typical OS is Fedora ecosystem, second most used is Debian.
The script will need to execute other applications like
ffmpegandscp/rsync.What language should I use?
I assume the first answer will be
python, which I am not a fan of, but can use.
Maybego? Seriously open to suggestions.
There is no general answer to your question.
The real question is what are you trying to accomplish that shell scripts can't or doesn't do a good job at? And what's the most suitable language/languages for that task?
For example when you say "execute other applications" that implies shell scripts because that is what they do best. If you wanted to use ffmpeg libraries for encoding, decoding and such that would have been a totally different thing and shell scripts would'nt have been an option.
@stacksofplates said in GKE Auto Scaling down to shut down resource usage and save costs.:
@pete-s said in GKE Auto Scaling down to shut down resource usage and save costs.:
@irj
Interesting, I know nothing but aren't you using the cluster autoscaler?It's supposed to scale up and down automatically as needed with the settings you give it. If it doesn't scale down as far as you like, have a look at the settings.
Autoscaling depends on the apps. If your app can't withstand a shutdown it's not a good idea. When more nodes are added the scheduler might move the pod to a different machine.
Yes, but that is why you have settings. How far you want to be able to scale down and how far you want to be able to scale up.
But I don't know much about it though except what I've picked up from videos like the one below: 
You should be able to find HPE switches like 1820 with POE.
@irj
Interesting, I know nothing but aren't you using the cluster autoscaler?
It's supposed to scale up and down automatically as needed with the settings you give it. If it doesn't scale down as far as you like, have a look at the settings.
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
@dashrender said in SPF records - for all A records?:
This site is pretty good also for checking the whole mailing stack
https://www.checktls.com/TestReceiver
That one was new to me. I'm going to check it out.
Another awesome resource, one that can test your own email from the receiving end is https://www.learndmarc.com/
It just great and will explain what happens.
It's made by uriports. We just started to evaluate their DMARC report monitoring service. Looking good so far.
@dashrender said in SPF records - for all A records?:
I'm reading up on SPF/DKIM/DMARC and ran across several posts where people indicate they create SPF records for all all A records in their DNS (not sure why they would skip C Names?)
Is this really necessary? Does anyone else here do that?
Here is one such comment
It is a best practice to have a "does not send" SPF record (i.e. "v=spf1 -all") on every HOST within a domain that doesn't otherwise have a different SPF record -- as well as for the domain itself plus any non-host label in the domain that has MX or SMTP-service-SRV records. The idea is to permit detection that the host-part of a sending mailbox is forged, and for those idiots that don't check others' SPF records, that you have protected all possible labels in your domain that could be backscatter targets.
It's indeed best practice to do so.
http://www.open-spf.org/FAQ/Common_mistakes/#all-domains
I haven't bothered though. But I have DKIM and DMARC also setup. If both SPF and DKIM fails, the DMARC policy instructs the receiver to completely reject the email.
Just using SPF isn't an effective measure against spoofed emails. DKIM adds a secure signature to each mail and DMARC is the policy on what the receiving end should do.
From received DMARC reports you can see when servers are trying to spoof your domain's email addresses.
BTW you only need to add an SPF for the A record because that is where the IP address is. CNAME is just a pointer to another A record.
Use something like this to check you SPF records:
https://www.dmarcanalyzer.com/spf/checker/
On this one you'll see how SPF records are resolved to IP addresses, sometimes in multiple levels.
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.
So maybe you're overcomplicating things.
Yeah I think that's my issue. I was at home when I joined my test system to the domain so it couldn't finish the task and cache my credentials. I will have to play around with stuff a bit more not on the weekend. I think I can get this working the way I want...
For starters have a look at "Interactive logon: Number of previous logons to cache (in case domain controller is not available)".
I think Windows 10 will cache by default but not if there are GPO settings overriding it or the registry has been altered. I haven't played with it much so I'm not sure if there is anything else that needs to be looked at.
On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.
So maybe you're overcomplicating things.
@dashrender said in Where are MSP managed on-prem workloads moving?:
@pete-s said in Where are MSP managed on-prem workloads moving?:
Thanks, it does makes sense to move to SaaS solutions for a single customer that is doing their own IT.
But a MSP is in a different position because they, besides know-how, have a larger scale. So it can make economic sense to host things for their customers that doesn't make sense for each individual customer.
For instance does it makes sense for a company to have a server to host their website on? No, it doesn't. But if you're an MSP and your customers have a thousand websites that needs to live somewhere, it might make sense for you to host them.
I guess it also depends if you're an MSP that just manages things or if you also have your own hosting/cloud infrastructure or use another provider for that.
All good points. I have no view into that world, the few ITSPs I know are using other companies solutions, not rolling their own, or even hosting their own. Though some of them, we'll take JB for example, do manage all the stuffs other than hypervisor and hardware for things like a Ubiquiti controller, and PBXs.
If you really do have need to host 1000's of websites (or really massive sites, it could make sense to manage the whole stack, but then again, it could be better to get services from someone like Vultr, or in extreme cases like Amazon/Azure.
It's possible that ITSP/MSPs in the SMB space in general don't own any infrastructure themselves.
I know large companies that fully outsource their workloads to service providers. Those service providers host the workloads primarily in their own datacenters but also on public cloud infrastructure. But these service providers are often large companies themselves so they have scale.
@dashrender said in Goodbye hardware monitoring on HPE Gen10 and newer equipment running ESXi:
@pete-s said in Goodbye hardware monitoring on HPE Gen10 and newer equipment running ESXi:
@dashrender said in Goodbye hardware monitoring on HPE Gen10 and newer equipment running ESXi:
I agree, in this day and age - that's super risky, i.e. you get compromised and all of your customers are now compromised.
though just because you have 100 passwords, one for each client, that info has to be stored somewhere and perhaps it would be compromised as well - and your clients are still compromised...
Risk has to be managed but it's not more risky having 100 customers with one server each on-prem than having 100 servers in one location.
Oh, I completely disagree. Now if you tell me all the creds for those 100 on prem servers are in one place, then I tend to agree with you, but if they aren't then they are a tiny bit, if not a lot more secure.
In this situation - it really comes down to them being managed by and MSP/ITSP that's the weak link.... If the MSP/ITSP is breached and the hackers get all the creds, be it one cred or 100 creds, then the customers are fooked either way.
I think I was a bit unclear.
What I mean is VPN is just an extension of the LAN. So 100 physically spread but centrally managed servers have the same risk as 100 servers in the same location managed locally.
If the managing thingy is compromised, then every server is potentially compromised as well.
If you on the other hand have a 100 servers physically spread and managed locally and not centrally, well than the risk is a lot smaller. But you don't get any of the benefits of central management either or economies of scale.
As you said it's the central management from the MSP/ITSP that's the weak link.
@dashrender said in Where are MSP managed on-prem workloads moving?:
I've recently moved my email to M365, so SAAS for that.
We're about to start planning our move of file share data to Sharepoint/ODfB - again SAAS.That leaves me with two items left on-prem - and old EMR I have to keep alive for at least 2 more years and our accounting software.
Additionally, we have a laboratory interface for some of our testing equipment that only runs on Windows Server (legally) so that needs to live somewhere as well.We'll definitely keep the old EMR on-prem until we retire it.
It looks like we can buy a hosted solution of BusinessWorks if we really want to go that route - it's slow as molasses over a VPN connection pulls all kinds of data down locally - very old school solution. So for good performance I'd assume we'd have to remote into a desktop that's more local to the host of BusinessWorks, driving the price up.
I'd love to move the laboratory software to a tiny 'nix box, lock it down and forget about it - basically only allowing it to talk to a control IP inside my network and the Lab itself, but again, the software is for Windows only. I suppose I can do the same with Windows, but that would require potentially 3 licenses so I don't have to worry about VPNs back to a central server for all three locations.
Thanks, it does makes sense to move to SaaS solutions for a single customer that is doing their own IT.
But a MSP is in a different position because they, besides know-how, have a larger scale. So it can make economic sense to host things for their customers that doesn't make sense for each individual customer.
For instance does it makes sense for a company to have a server to host their website on? No, it doesn't. But if you're an MSP and your customers have a thousand websites that needs to live somewhere, it might make sense for you to host them.
I guess it also depends if you're an MSP that just manages things or if you also have your own hosting/cloud infrastructure or use another provider for that.