ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Topics
    2. DustinB3403
    • Profile
    • Following 21
    • Followers 20
    • Topics 938
    • Posts 25,969
    • Best 6,885
    • Controversial 350
    • Groups 0

    DustinB3403

    @DustinB3403

    9.6k
    Reputation
    15.0k
    Profile views
    26.0k
    Posts
    20
    Followers
    21
    Following
    Joined Last Online
    Website github.com/Jarli01/ Location Rochester, NY Age 40

    DustinB3403 Unfollow Follow

    Best posts made by DustinB3403

    • RE: What Are You Doing Right Now

      Everyone, please welcome my daughter Diana into the world.

      She arrived at 7:26am today!

      0_1531855826365_Diana.png

      posted in Water Closet
      DustinB3403D
      DustinB3403
    • Xen Orchestra on Ubuntu 15.10 - Complete installation instructions

      This guide assumes you already have a running Ubuntu 15.10 system on which you want to configure Xen Orchestra, everything else is documented below.

      TL;DR: Run this command as root on Ubuntu 15.10...

      sudo curl https://raw.githubusercontent.com/scottalanmiller/xenorchestra_installer/master/xo_install.sh | bash
      

      During the installation of your OS, you'll want to create a user outside of root, I made my user account xoadmin

      How to Install Xen Orchestra Source on Ubuntu 15.10 (self compiled) AKA MANUAL installation

      sudo apt-get install --yes nfs-common
      curl -sL https://deb.nodesource.com/setup_5.x | sudo -E bash -
      sudo apt-get install --yes nodejs
      curl -o /usr/local/bin/n https://raw.githubusercontent.com/visionmedia/n/master/bin/n
      chmod +x /usr/local/bin/n
      n stable
      node -v
      npm -v
      sudo apt-get install --yes build-essential redis-server libpng-dev git python-minimal
      git clone -b stable https://github.com/vatesfr/xo-server
      git clone -b stable https://github.com/vatesfr/xo-web
      cd xo-server
      sudo npm install && npm run build
      cp sample.config.yaml .xo-server.yaml
      nano .xo-server.yaml
      
      #Edit and uncomment it to have the right path to XO-Web, because XO-Server embeds an HTTP server (we assume that XO-Server and XO-Web are on the same directory). It's near the end of the file:
      #  mounts: '/': '../home/xoadmin/xo-web/dist/
      #  save and exit
      
      cd ~
      cd ../xo-web
      sudo npm i [email protected]
      sudo npm install
      sudo npm run build
      cd ../xo-server
      sudo npm start
      

      The scripted installation thanks to @scottalanmiller

      Github Repo

      Below is the preferred Installation method. It includes the systemctl xo-server.service written by @Danp

      sudo bash
      <password>
      sudo curl https://raw.githubusercontent.com/scottalanmiller/xenorchestra_installer/master/xo_install.sh | bash
      <password>
      

      In your favorite web-browser go to this VM's IP Address, login with the default user: [email protected] and "admin" for the password. Update your Login Details!!

      Add your Xen Server(s) and go to town.

      Automatically Start XO at Boot - See this Post by @Danp Also copied below.

      Create a file in /etc/systemd/system/xo-server.service and enter the below into it.

      # systemd service for XO-Server.
      
       [Unit]
       Description= XO Server
       After=network-online.target
      
       [Service]
       WorkingDirectory=/opt/xo-server/
       ExecStart=/usr/local/bin/node ./bin/xo-server
       Restart=always
       SyslogIdentifier=xo-server
      
       [Install]
       WantedBy=multi-user.target
      

      Save the file, and then run to enable the service at start up.

      sudo systemctl enable xo-server.service
      

      To monitor the service you can then run

      journalctl -u xo-server -f -n 50
      

      For everyone on the newer releases of the "stable build" at least as of April-8-2016 there appears to be a bug when attempting to mount an NFS share; to resolve this follow the short process below

      • Login to your XO web console
      • Go to Backup
      • Select Remote Stores
      • Add your NFS Share, it'll likely fail out(unless it's been fixed since this posting)
      • Back on your XO console go to /tmp/xo-server/mounts
      • Run "ls" to see what mount is listed on your server
      • Next run "mount -t nfs nfs-server-ip-address:/path/to-share remote-#"

      Replacing nfs-server-ip-address with the actual IP of the remote server and the remote-# with whatever is listed on your console.

      0_1460121122626_XenCenterMain_2016-04-08_09-10-39.png

      0_1460121105143_XenCenterMain_2016-04-08_09-11-13.png

      posted in IT Discussion how to xen orchestra ubuntu 15.10 debian xen open source ubuntu linux xenserver
      DustinB3403D
      DustinB3403
    • New StarWind Virtual SAN Free - All restrictions removed!

      Register for today's live demo April 6, 11 am PT / 2 pm ET.

      Host: Alex Bykovskyi, Solutions Architect, StarWind

      New StarWind Virtual SAN Free comes completely unrestricted delivering all the features you get in the commercial version. Unlike the previous free version, new VSAN Free delivers unlimited node count, features, and capacity served. It can now be used in any deployment scenario, be it Hyper-Converged, “Compute and Storage Separated”, or even a combination of both. Thanks to multiprotocol support, featuring iSCSI, SMB3, and NFS, including RDMA-capable iSER, NVMf, and SMB Direct, StarWind VSAN easily integrates into any infrastructure, be it virtualized or not. In addition, support for VVOLs, SCVMM, and ready-to-use PowerShell scripts help users to speed up and simplify automated deployment, management, and monitoring of their Virtual SAN infrastructure.

      Join our Live Demo to learn how to build a completely free multi-node hyper-converged environment with StarWind and your hypervisor of choice!

      *Virtualize responsibly!

      posted in IT Discussion starwind vsan san storage starwind vsan
      DustinB3403D
      DustinB3403
    • Gaming to Raise Funds for Children's Hospitals

      Hey all!

      On November 11th I'll be gaming for 24 hours straight to raise money for Golisano Children's Hospital,please hit my page up here and donate to help raise funds.

      Thanks,

      DustinB

      posted in Self Promotion gaming charity fund raising hospital
      DustinB3403D
      DustinB3403
    • RE: Fake Wall or Wall Closet?

      @nerdydad said in Fake Wall or Wall Closet?:

      Any suggestions?

      Tell your CFO to stop giving tours of your server room and focus on saving money for more important things.

      posted in IT Discussion
      DustinB3403D
      DustinB3403
    • RE: MangoCon 2016

      0_1473888981068_1473888963210-832708372.jpg

      Messing with @Minion-Queen

      posted in MangoCon
      DustinB3403D
      DustinB3403
    • RE: What Are You Doing Right Now

      I'm wondering why I don't have a tank!

      https://i.redd.it/ies4pabw0fz11.jpg

      posted in Water Closet
      DustinB3403D
      DustinB3403
    • Topics regarding Inverted Pyramids Of Doom

      Since Scott is our resident expert on said topic, I figure here would be as good a place as any to post SW articles regarding IT people who are in a position where they are unknowingly building an IPOD.

      posted in IT Discussion inverted pyramid
      DustinB3403D
      DustinB3403
    • RE: Random Thread - Anything Goes

      https://i.redd.it/14c4kks0qlg21.jpg

      posted in Water Closet
      DustinB3403D
      DustinB3403
    • xByte has delivered with an awesome pair of servers

      @BradfromxByte thank you for dealing with all of the back and forth and kick ass servers.

      2_1465314014474_20160607_113626.jpg 1_1465314014471_20160607_113604.jpg 0_1465314014461_20160607_113607.jpg

      posted in IT Discussion
      DustinB3403D
      DustinB3403

    Latest posts made by DustinB3403

    • RE: What Are You Doing Right Now

      Reviewing the output of sslscan, it seems we have some depreciated ciphers that need to get pulled.

      posted in Water Closet
      DustinB3403D
      DustinB3403
    • RE: What Are You Doing Right Now

      Waiting for a meeting to start with a client.

      posted in Water Closet
      DustinB3403D
      DustinB3403
    • RE: No More Free Hyper-V – What Are Your Options?

      @Oksana Who has been using Hyper-V. . .

      XCP-ng, Proxmox, or straight KVM.

      posted in Starwind
      DustinB3403D
      DustinB3403
    • RE: What Are You Doing Right Now

      Hardening a few linux servers from some Medium threats, all High threats have already been remediated.

      Also getting over a cold.

      posted in Water Closet
      DustinB3403D
      DustinB3403
    • Hardening RHEL (and RHEL Based OSs)

      For obvious reasons RHEL is annoying, like needing to sign into their paywall to find this information. If you're ever needing to harden a RHEL based OS, specifically to disable SHA1 and CBC you can use the below and reboot the server.

      These vulnerabilities are outlined below and the remedy is listed at the bottom. Mind any typo's I've copied the description out of a PDF and there may be some copy/paste artifacts or typos.

      Medium (CVSS: 5.3)
       NVT: Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)
       Product detection result
       cpe:/a:ietf:secure_shell_protocol
       Detected by SSH Protocol Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105565
       →)
       Summary
       The remote SSH server is con gured to allow / support weak key exchange (KEX) algorithm(s).
       Quality of Detection (QoD): 80%
       Vulnerability Detection Result
       The remote SSH server supports the following weak KEX algorithm(s):
       KEX algorithm
       | Reason-----------------------------------------------
      diffie-hellman-group-exchange-sha1 | Using SHA-1
       Impact
       An attacker can quickly break individual connections.
       Solution:
       Solution type: Mitigation
       Disable the reported weak KEX algorithm(s)- 1024-bit MODP group / prime KEX algorithms:
       Alternatively use elliptic-curve Di e-Hellmann in general, e.g. Curve 25519.
       Vulnerability Insight- 1024-bit MODP group / prime KEX algorithms:
       Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman
       key exchange. Practitioners believed this was safe as long as new key exchange messages were
       generated for every connection. However, the first step in the number field sieve-the most efficient
       algorithm for breaking a Diffie-Hellman connection-is dependent only on this prime.
       A nation-state can break a 1024-bit prime.
      
       Vulnerability Detection Method
      
       Checks the supported KEX algorithms of the remote SSH server.
       Currently weak KEX algorithms are defined as the following:- non-elliptic-curve Di e-Hellmann (DH) KEX algorithms with 1024-bit MODP group / prime- ephemerally generated key exchange groups uses SHA-1- using RSA 1024-bit modulus key
       
       Details: Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)
       OID:1.3.6.1.4.1.25623.1.0.150713
       Version used: 2024-06-14T05:05:48Z
       Product Detection Result
       Product: cpe:/a:ietf:secure_shell_protocol
       Method: SSH Protocol Algorithms Supported
       OID: 1.3.6.1.4.1.25623.1.0.105565)
       References
       url: https://weakdh.org/sysadmin.html
       url: https://www.rfc-editor.org/rfc/rfc9142
       url: https://www.rfc-editor.org/rfc/rfc9142#name-summary-guidance-for-implem
       url: https://www.rfc-editor.org/rfc/rfc6194
       url: https://www.rfc-editor.org/rfc/rfc4253#section-6.5
      

      And CBC

      Medium (CVSS: 4.3)
       NVT: Weak Encryption Algorithm(s) Supported (SSH)
       Product detection result
       cpe:/a:ietf:secure_shell_protocol
       Detected by SSH Protocol Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105565
       →)
       Summary
       The remote SSH server is con gured to allow / support weak encryption algorithm(s).
       Quality of Detection (QoD): 80%
       Vulnerability Detection Result
       The remote SSH server supports the following weak client-to-server encryption al
       →gorithm(s):
       aes128-cbc
       aes256-cbc
       The remote SSH server supports the following weak server-to-client encryption al
       →gorithm(s):
       aes128-cbc
       aes256-cbc
       Solution:
       Solution type: Mitigation
       Disable the reported weak encryption algorithm(s).
       . . . continues on next page ...
      2 RESULTS PER HOST
       6
       . . . continued from previous page ...
       Vulnerability Insight- The 'arcfour' cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is
       believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems
       with weak keys, and should not be used anymore.- The 'none' algorithm specifies that no encryption is to be done. Note that this method provides
       no confidentiality protection, and it is NOT RECOMMENDED to use it.- A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to
       recover plaintext from a block of ciphertext.
       Vulnerability Detection Method
       Checks the supported encryption algorithms (client-to-server and server-to-client) of the remote
       SSH server.
       Currently weak encryption algorithms are de ned as the following:- Arcfour (RC4) cipher based algorithms- 'none' algorithm- CBC mode cipher based algorithms
       Details: Weak Encryption Algorithm(s) Supported (SSH)
       OID:1.3.6.1.4.1.25623.1.0.105611
       Version used: 2024-06-14T05:05:48Z
       Product Detection Result
       Product: cpe:/a:ietf:secure_shell_protocol
       Method: SSH Protocol Algorithms Supported
       OID: 1.3.6.1.4.1.25623.1.0.105565)
       References
       url: https://www.rfc-editor.org/rfc/rfc8758
       url: https://www.kb.cert.org/vuls/id/958563
       url: https://www.rfc-editor.org/rfc/rfc4253#section-6.3
      

      Simply running sudo update-crypto-policies --set DEFAULT:NO-SHA1:NO-CBC and rebooting the system in question removes these vulnerabilities.

      posted in IT Discussion ssh hardening linux rhel
      DustinB3403D
      DustinB3403
    • RE: What Are You Doing Right Now

      @travisdh1 said in What Are You Doing Right Now:

      Going over a bunch of Scotts (now old) videos and documentation on SANs to do a brief overview with our sales team. They might be oldish now, but still the best refence material around.

      Yeah I find myself having to go over these from time to time as well, because finding the energy to explain it myself in such a succinct manner is too difficult.

      posted in Water Closet
      DustinB3403D
      DustinB3403
    • RE: Decrypting a LUKS encrypted drive at boot

      @Obsolesce said in Decrypting a LUKS encrypted drive at boot:

      @DustinB3403 Oh is it the boot/os drive of a VM?

      No it wouldn't be the boot partition, but a secondary array (R1).

      @EddieJennings said in Decrypting a LUKS encrypted drive at boot:

      I know it's not your ideal, but have you tried to use /etc/crypttab and store the key in a file somewhere that's owned by root and has 400 permissions, just to see if that method can do the automatic unlocking of the encrypted device?

      If you're making said file that /etc/crypttab will use remember to do echo -n 'whatever' > yourfile, instead of just echo, else you'll bang your head against the wall not understanding why the stored password isn't working. Ask me how I know. 😉

      I haven't tried it.

      @dbeato said in Decrypting a LUKS encrypted drive at boot:

      Did this work for you? https://www.malachisoord.com/2023/11/04/decrypt-additiona-luks-encrypted-volumes-on-boot/

      I've never seen it, will review.

      posted in IT Discussion
      DustinB3403D
      DustinB3403
    • RE: Decrypting a LUKS encrypted drive at boot

      @Obsolesce said in Decrypting a LUKS encrypted drive at boot:

      @DustinB3403 does it have a TPM2 chip?

      This vm doesn't, nor a vtpm

      posted in IT Discussion
      DustinB3403D
      DustinB3403
    • Decrypting a LUKS encrypted drive at boot

      So I have an internal development project I'm working on and I'm trying to sort out specifically how I can decrypt a luks encrypted partition built on a separate mdadm R1 at boot time so that the drive is always available if the system should reboot.

      Obviously this isn't an ideal solution since the key would have to be stored in plain-text somewhere outside of the array, but I'm curious if anyone else has had to do something like this and what protections that you may have put into place to protect this information.

      Alternatively, the obvious solution would be some intervention to unlock the drive after a reboot, but I was hoping to avoid this manual intervention.

      Thanks in advance

      posted in IT Discussion mdadm linux luks
      DustinB3403D
      DustinB3403
    • RE: IBM Datapower on Linux

      Okay for anyone still around, I was able to get this sorted, it appears that the initial file I was using was either corrupted or maybe a patch for an existing installation.

      I've documented the process, copied below for reference. I won't be sharing IBMs RPM's on this post. You should be able to get these directly from IBM's website free of charge, but your mileage may vary.

      Installing IBM Datapower on CentOS 8/9 or Rocky Linux 8/9 to your Hypervisor/Cloud Provider

      Minimum System Requirements
      • 4 vCPU
      • 16 GiB RAM
      • 80 GiB Disk Space
      • 4 Network Interfaces – with DHCP or Statically Assigned IPs
      • 2 Available Loop devices – Documented Below
      • Default Partitioning will work, can be configured to meet any security requirements (separate LV for VAR for example)
      • Installation without a GUI recommended with these below features
      ◦ “Server Installation” Option
      ▪ Guest Agents (Drivers for Hypervisor/Cloud recommended)
      ▪ Remote Management for Linux recommended – SSH and or Cockpit
      • Root only account – User accounts are unnecessary
      • Security Policy to adhere to any State/Fed requirements (may effect Installation Destination configuration – not documented here).

      Configure Timezone and any other settings as required – no specific documentation needed

      Sample User: root
      Password: your-password

      Upon installation check for updates and install a few required repositories.

      sudo dnf update -y
      sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
      sudo dnf update -y
      sudo dnf search schroot
      sudo dnf install schroot ipvsadm kmod telnet -y
      

      Post installation of dependencies we need to confirm our loop devices are configured.

      Confirm what loop devices exist (likely there is only 1) so we’ll need to create some with the below.

      List your loop devices:

      ls -l /dev/loop*
      brw-r-----  1 rootls  disk 7,  0 Jul 24 17:49 /dev/loop-control
      

      We only have the loop-control device, so create two more loop devices with the below.

      mknod -m660 /dev/loop1 b 7 8
      mknod -m660 /dev/loop2 b 7 8
      

      Confirm the devices are listed.

      ls -l /dev/loop*
      brw-rw----. 1 root root  7,   8 Nov 27 08:10 /dev/loop1
      brw-rw----. 1 root root  7,   8 Nov 27 08:10 /dev/loop2
      crw-rw----. 1 root disk 10, 237 Nov 27 07:51 /dev/loop-control
      

      Now transfer or download the Datapower and LibgCrypt RPMs to this system using something line wget or WinSCP depending on access. You can find libgcrypt here (https://rpmfind.net)

      Once transferred, you may have to decompress the installation files.

      tar -xf idg_lx10540.cd.ASL.prod.tar
      

      Now we can install the program

      sudo yum install idg_lx.10540.image.x86_64.rpm idg_lx10540.common.x86_64.rpm
      

      Once installed, you’ll connect to the system via telnet on the system’s loopback address

      telnet 127.0.0.1 2200
      Initial login is: admin
      Initial Password is: admin
      

      Confirm to all prompts with Y and then run/create and confirm a new password

      You must restart the DataPower Gateway to make the Common Criteria policies effective.

      idg# configure terminal;web-mgmt;admin-state enabled;local-address 0 9090;exit
      Global mode
      Modify Web management service configuration
      

      Now you can go to the web console via your computer and using the primary IP address. In our example
      https://ip-address:9090

      You’ll use the login password you created while connected via SSH. You’ll have to create yet another new password.

      Once the password is updated, you’ll be able to login and complete the setup by accepting the license agreement.

      After accepting the licensing agreement the system will need to reboot. After logging in via SSH you’ll need to restart the web interface.

      telnet 127.0.0.1 2200
      admin
      <password>
      idg<config> 
      idg <config> configure terminal;web-mgmt;admin-state enabled;local-address 0 9090;exit
      

      That's the complete installation process from start to finish. The last step would be to setup initialization of the datapower service upon restart. I'll be working on this sometime this week probably so that the environment is fault tolerant.

      posted in IT Discussion
      DustinB3403D
      DustinB3403