Topics created by DustinB3403

Here is something i found:

Ensure LUKS Drive is Configured
If the drive isn’t encrypted yet, you can encrypt it with LUKS:

bash
Copy
Edit
sudo cryptsetup luksFormat /dev/sdX
Replace /dev/sdX with the appropriate drive/partition. Be cautious—this step will erase all data on the drive.

Add the Drive to /etc/crypttab
Edit the /etc/crypttab file to configure the system to unlock the drive at boot.

Open the file:

bash
Copy
Edit
sudo nano /etc/crypttab
Add an entry for the encrypted drive:

bash
Copy
Edit
cryptname /dev/sdX none luks
cryptname: A name for the decrypted device (used later in /etc/fstab).
/dev/sdX: Path to the encrypted device.
none: Use none for a passphrase prompt at boot or specify a path to a key file.
luks: Indicates LUKS encryption.
Example:

bash
Copy
Edit
cryptdrive /dev/sdb1 none luks
3. Add the Decrypted Device to /etc/fstab
To automatically mount the decrypted drive after unlocking:

Edit /etc/fstab:

bash
Copy
Edit
sudo nano /etc/fstab
Add an entry for the decrypted drive:

bash
Copy
Edit
/dev/mapper/cryptname /mnt/mountpoint ext4 defaults 0 2
Replace:

/dev/mapper/cryptname with the mapped device from /etc/crypttab.
/mnt/mountpoint with your desired mount point.
ext4 with your file system type.
4. Generate an Initramfs
If the root file system or a critical drive is encrypted, you’ll need to update the initramfs to include decryption tools.

Update the initramfs:

bash
Copy
Edit
sudo update-initramfs -u
Verify that the cryptsetup package is installed in your initramfs configuration.

Test Boot Behavior
Reboot the system and observe the decryption process:

If you specified none in /etc/crypttab, you should be prompted for a passphrase at boot.
If a key file was used, the drive should decrypt automatically.
6. Using a Key File for Automatic Decryption
To avoid entering a passphrase at boot, use a key file:

Generate a key file:

bash
Copy
Edit
sudo dd if=/dev/urandom of=/root/luks-keyfile bs=4096 count=1
Set permissions:

bash
Copy
Edit
sudo chmod 600 /root/luks-keyfile
Add the key file to the LUKS header:

bash
Copy
Edit
sudo cryptsetup luksAddKey /dev/sdX /root/luks-keyfile
Update /etc/crypttab:

bash
Copy
Edit
cryptname /dev/sdX /root/luks-keyfile luks
Update the initramfs:

bash
Copy
Edit
sudo update-initramfs -u
Reboot to test automatic decryption.

Troubleshooting
Device not found during boot: Ensure the correct device path is used in /etc/crypttab.
Passphrase prompt not appearing: Verify cryptsetup is installed and included in initramfs.
Boot hangs or fails: Boot into a live session, comment out entries in /etc/fstab or /etc/crypttab, and investigate.

Okay for anyone still around, I was able to get this sorted, it appears that the initial file I was using was either corrupted or maybe a patch for an existing installation.

I've documented the process, copied below for reference. I won't be sharing IBMs RPM's on this post. You should be able to get these directly from IBM's website free of charge, but your mileage may vary.

Installing IBM Datapower on CentOS 8/9 or Rocky Linux 8/9 to your Hypervisor/Cloud Provider

Minimum System Requirements
• 4 vCPU
• 16 GiB RAM
• 80 GiB Disk Space
• 4 Network Interfaces – with DHCP or Statically Assigned IPs
• 2 Available Loop devices – Documented Below
• Default Partitioning will work, can be configured to meet any security requirements (separate LV for VAR for example)
• Installation without a GUI recommended with these below features
◦ “Server Installation” Option
▪ Guest Agents (Drivers for Hypervisor/Cloud recommended)
▪ Remote Management for Linux recommended – SSH and or Cockpit
• Root only account – User accounts are unnecessary
• Security Policy to adhere to any State/Fed requirements (may effect Installation Destination configuration – not documented here).

Configure Timezone and any other settings as required – no specific documentation needed

Sample User: root
Password: your-password

Upon installation check for updates and install a few required repositories.

sudo dnf update -y sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm sudo dnf update -y sudo dnf search schroot sudo dnf install schroot ipvsadm kmod telnet -y

Post installation of dependencies we need to confirm our loop devices are configured.

Confirm what loop devices exist (likely there is only 1) so we’ll need to create some with the below.

List your loop devices:

ls -l /dev/loop* brw-r----- 1 rootls disk 7, 0 Jul 24 17:49 /dev/loop-control

We only have the loop-control device, so create two more loop devices with the below.

mknod -m660 /dev/loop1 b 7 8 mknod -m660 /dev/loop2 b 7 8

Confirm the devices are listed.

ls -l /dev/loop* brw-rw----. 1 root root 7, 8 Nov 27 08:10 /dev/loop1 brw-rw----. 1 root root 7, 8 Nov 27 08:10 /dev/loop2 crw-rw----. 1 root disk 10, 237 Nov 27 07:51 /dev/loop-control

Now transfer or download the Datapower and LibgCrypt RPMs to this system using something line wget or WinSCP depending on access. You can find libgcrypt here (https://rpmfind.net)

Once transferred, you may have to decompress the installation files.

tar -xf idg_lx10540.cd.ASL.prod.tar

Now we can install the program

sudo yum install idg_lx.10540.image.x86_64.rpm idg_lx10540.common.x86_64.rpm

Once installed, you’ll connect to the system via telnet on the system’s loopback address

telnet 127.0.0.1 2200 Initial login is: admin Initial Password is: admin

Confirm to all prompts with Y and then run/create and confirm a new password

You must restart the DataPower Gateway to make the Common Criteria policies effective.

idg# configure terminal;web-mgmt;admin-state enabled;local-address 0 9090;exit Global mode Modify Web management service configuration

Now you can go to the web console via your computer and using the primary IP address. In our example
https://ip-address:9090

You’ll use the login password you created while connected via SSH. You’ll have to create yet another new password.

Once the password is updated, you’ll be able to login and complete the setup by accepting the license agreement.

After accepting the licensing agreement the system will need to reboot. After logging in via SSH you’ll need to restart the web interface.

telnet 127.0.0.1 2200 admin <password> idg<config> idg <config> configure terminal;web-mgmt;admin-state enabled;local-address 0 9090;exit

That's the complete installation process from start to finish. The last step would be to setup initialization of the datapower service upon restart. I'll be working on this sometime this week probably so that the environment is fault tolerant.

@Obsolesce said in CrowdStrike blames kernel level access on last month Microsoft outage, claims to:

@DustinB3403 said in CrowdStrike blames kernel level access on last month Microsoft outage, claims to:

@Obsolesce said in CrowdStrike blames kernel level access on last month Microsoft outage, claims to:

@DustinB3403 said in CrowdStrike blames kernel level access on last month Microsoft outage, claims to:

want to find a non-kernel based solution and that the EU is at fault.

https://www.csoonline.com/article/3483641/crowdstrike-backs-microsofts-demand-for-reducing-kernel-level-access.html

I still say it could have been avoided if CrowdStrike had tested the change on a single device prior to releasing it publicly. It could have been a simple automated test as part of their release pipeline.

Even a better rollout strategy could have prevented it from going too far.

What's funny is that CS is now saying that they have decided to start testing their releases with the use of "besides showing interest in working with Microsoft to work on the “kernel-level restrictions” development, is also taking a new approach to certify each new sensor release through the “Windows Hardware Quality Labs."

Whats also funny is that if you look at almost any open source software of similar caliber, they do all that stuff in their build and release pipelines or other work flows before public releases.

Exactly!

@IRJ Yeah I've tried openVAS in the past, it wasn't bad, but it also wasn't great.

I've ended up making some changes to my firewall and using Wazuh to report on my endpoints that are remote to our datacenter.

Which works well enough for our needs

@scottalanmiller said in Troubleshooting poor network performance:

@DustinB3403 said in Troubleshooting poor network performance:

@DustinB3403 said in Troubleshooting poor network performance:

Moving from that port which was only giving 10FDx to an unused port, gave us 1000FDx.

I'm not sure where this issue stems from..

Got it sorted out, for some reason (and I'm still working on the specifics) our ESXi hosts secondary NIC keeps falling to 10FDx (likely some misconfiguration at setup).

I've moved XO off of this nic, and performance has been fixed.

If you want to improve ESXi performance, install KVM.

Yea, that's a different conversation entirely, I do want a outside of the XCP-ng pool environment, in case something goes sideways. I'm dealing with some sunkcost conversations about it, though I am making progress.

@dbeato yeah that is a different utility (hyper-backup specifically).

Cloud Sync doesn't actually seem to produce the report anywhere that I could find either.

Grr

Thanks for looking @dbeato

@scottalanmiller said in Define Air Gapped Networks:

@Obsolesce said in Define Air Gapped Networks:

@DustinB3403 said in Define Air Gapped Networks:

When using terminology like "Air Gapped" what is your first impression of it?

When I see someone say they have an air gapped network, I think it to mean that the network is separate from the rest of the organization (through a physical disconnect), and that Air Gapped, does not imply the lack of internet.

Air Gapped != Without Internet

What's your opinion?

An air gapped network is indeed physically isolated from other networks, but the key yiur missing is that it is also isolated from the Internet. The primary characteristic being lack of any connection to outside networks, including the internet.

It's not the "connection to the outside" that violates the air gap, the issue is that if BOTH networks connect to the Internet or any shared network, it clearly isn't air gapped. Air gapped systems can never talk to each other without a different mechanism passing messages in between that crosses the air gap.

You misinterpreted what I wrote. Coupled with the first sentence, it's clear. Also, outside being outside said network, not necessarily public networks.

@RojoLoco said in Cloud Based Auto-Attendant:

@Danp said in Cloud Based Auto-Attendant:

@DustinB3403 I used RC in the past, and it should be able to handle this without issue. You should only need to pay for a single user for this to work.

We currently use RC. Honestly, as much as I want to bag on it, I can't. It works, all the time. The only thing I ever have to touch on RC is add/remove users.

If you are only doing a single line or two, RC is basically unbeatable. Get beyond that, they start getting pretty pricey.

@DustinB3403 said in Windows Server Licensing:

HPE has some tool which indicates the inverse here

This tool is correct, as far as I've last known.

@DustinB3403 depending on what you want, you can also:

$app = Get-ChildItem -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall' | Get-ItemProperty | Where-Object -Property DisplayName -EQ "Microsoft Edge" $installDate = $app.InstallDate

Thanks I'll give this a try today

Yeah I found the issue, the environment has MFA enforced, but does not have Modern Authentication enabled.

Just getting approval from the customer before making the change as I'm sure Outlook will prompt for the MFA codes for existing users.

@dustinb3403 said in Need Regex Help:

@travisdh1 No, backend database access isn't available to me.

Well, that's a little ****y. No db gui has given me everything I wanted to do with a database.

@dbeato said in Goodbye hardware monitoring on HPE Gen10 and newer equipment running ESXi:

@dashrender However centrally managed doesn't mean site to site VPN. I don't get MSP that have site to site VPNs to their customers. It is not feasible to maintain, it is a high risk and very old school.

of course it doesn't.

using a tool like ScreenConnect - having all customer machines in a single account - means SC's hacked, then ever client is hacked...

YcEC7YYs7i.png

This is all you have within the SonicWall control, on or off. I saw this yesterday and assumed I was missing something critical. The most basic APs in the world include the "Identify AP" functionality.

Apparently, SonicWall APs are more basic than basic as they don't include this functionality at all.

On or off is all you get.

the-iconic-picard-facepalm.jpeg

@dbeato yeah which I had none of that information nor do I know if email delivery was setup.

@dashrender said in Removing Windows Installed Packages with Powershell:

@dustinb3403

Sure, but to Gene's point - you're not going to be installing crapware with Chocolatey - but the MS Store pre-loads your machine with a shit ton, and really, the only way to get rid of if all is using PowerShell.

I love the first post for info sake itself... I just don't see the need to mention Choco in the same thread - it serves an entirely different purpose - not to mention the fact that it isn't even loaded by default, so if it's there - YOU know it's there.

And again, you know how to install and uninstall applications with Chocolatey.

But you may not know (or want to know how to learn to use Microsoft's App Store) and maybe you prefer to use a shell to remove applications from add and remove.

While you know what you've installed with Choco, doesn't mean you know how to remove programs like in the OP which, again installed during the evening hours without me having installed it.

@dbeato said in Sophos SSL VPN Client on Windows:

The old one you have to go where the application install and remove the config file you don't want
\Program Files (x86)\Sophos\Sophos SSL VPN Client\config

That's the answer!

Thanks