@Kelly said in Password manager options for multi-user?:

@JaredBusch said in Password manager options for multi-user?:

@Kelly said in Password manager options for multi-user?:

There it is. Secret server from Thycotic: https://thycotic.com/solutions/free-it-tools/secret-server-free/.

/wtb pricing

Their not free tool has a ton of PAM features that aren't in most password managers so I'm guessing that it isn't cheap. But, like so many vendors, you have to give them your contact info to get the basics it looks like.

Our company use would fit in the free tool and I will probably try it out as it looks nice.

But I hate request a quote shit..

The built in Nextcloud GUI updater works decent. But even their documentation says to use the CLI updater for larger installs to prevent timeout issues.

Since version 15 finally was available in the stable channel a while back I made a guide while I was performing the update.

For the purposes of this guide, we are going to assume that you are running Nextcloud version 12+ and you are running it on Fedora.

Log in to the command line and switch to the root user

sudo su -

Disable SELinux temporarily

setenforce 0

Change to the Nextcloud directory appropriate to the install

# default location
cd /var/www/html/nextcloud

Put Nextcloud in maintenance mode

sudo -u apache php occ maintenance:mode --on

Make a snapshot of your VM

I always make the snapshot at this point because once it is in maintenance mode, no new changes will be accepted.
So if things go to hell and you need to revert, there will be no conflict files.

Run the updater.

sudo -u apache php updater/updater.phar

It will display this for an update

Answer yes and it will perform the update.

Tell it no when asked to run the occ upgrade command.

I have had issue with answering yes this step in the past and just never let tit do it anymore. Someday, when I have free time, I will test this out again.

Run the occ upgrade command.

sudo -u apache php occ upgrade

Turn maintenance mode back off.

sudo -u apache php occ maintenance:mode --off

Turn SELinux back on.

setenforce 1

Exit from the root user.

exit

Verify the update is successfully reflected in the web interface

Perform any follow up tasks now listed in the warnings section.

Microsoft makes this super easy, and @scottalanmiller has posted about this once back in 2017.

First, as always when I write something, start with the minimal install. In this case, of CentOS 7, as Microsoft only supports the LTS model of operating systems. Their listed Ubuntu version is old. Also, you all know how much I love Ubuntu.

Second, make sure your system is fully up to date.

yum update -y

Note: You do not need the EPEL.

Now you are ready to go.

Go get the SQL Server repository from Microsoft.

sudo curl -o /etc/yum.repos.d/mssql-server.repo https://packages.microsoft.com/config/rhel/7/mssql-server-2017.repo

Install SQL Server with yum

sudo yum install -y mssql-server

Then as instructed run the setup wizard.

sudo /opt/mssql/bin/mssql-conf setup

You will be prompted to choose your version.

Choose the version you want. For this guide we are selecting 3) Express.

You will then have to agree to the license terms.

Now enter the sa user password you want for SQL Server

The sa account is equivalent to the root account in MariaDB/MySQL

You should see it was successfully completed.

That's it, you are up and running.

While you may be up and running now, you will also need to do a few more things to make it useful.

Allow inbound connections through the firewall to the server if needed.

In my case, I will have a remote server talking to this and I use Azure Data Studio form a Linux Desktop to access this.

sudo firewall-cmd --zone=public --add-port=1433/tcp --permanent
sudo firewall-cmd --reload

Add the Microsoft command line tools so you can locally manage the instance.

This is a separate repository file from SQL Server itself.

sudo curl -o /etc/yum.repos.d/msprod.repo https://packages.microsoft.com/config/rhel/7/prod.repo

Install the tools.

sudo yum install -y mssql-tools unixODBC-devel

There are again license agreements to be agreed to.

If you want to use the tools without typing the full bath, add them to your path.

echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> ~/.bash_profile
echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> ~/.bashrc
source ~/.bashrc

You now have access to sqlcmd

You can connect to the local instance like this. You will be prompted for your password.

sqlcmd -U sa

You can pass the password with the -P parameter.

sqlcmd -U sa -P 'YourSuperSecretPassword'

Note the single quotes. I always use them to ensure even if you have a special character, that the password is accepted when passed this way.

Two way sync for something like this is a horrible design.

What they should use is a file drop method to upload files from the field and never download anything.

The field techs have zero need for this data right? Make them use the web interface.

Filedrop:

Or let them see/delete what they uploaded, but disable downloads:

Then the office workers will MOVE the file to a different location when they process the file and put it into the database. So this keeps the field tech view clean.

Assuming you are just spinning up a web server for content? no.

Almost no normal site will encounter any of the differences in the two web server stacks.

If you are spinning up an application like Nextcloud, that supports both choices, go with the default choice of the developers.

For Nextcloud, that is Apache. Not that Nginx doesn't work, because it does. But just because that is what the developers use.

@pmoncho said in Secure Meshcentral server on Vultr:

@JaredBusch
Thanks. That is what I was thinking. I just read read and read more but I have not been a security through obscurity kinda person.

When it comes to the internet, there is no such thing as security through obscurity.

No one is looking at this shit. It is bots and they don't care WTF port they find open.

There absolutely are bots out there attempting to open connections to every port on every IP.

There are exactly 2 things that changing the port does.

1. It reduces the hits, so you will have smaller logs of hits, but it is only a reduction. Once one of the bots finds it, your IP goes on a list and is resold.
2. It causes you to fucking cuss at yourself everytime you forget to use the "random" port you selected.

So the real solution will be wait for python3-psutil to update in the fedora base repo. Currently it is still at 5.4.3.

[root@nextcloud ~]# dnf list *psutil*
Last metadata expiration check: 0:03:01 ago on Mon 18 Mar 2019 04:05:03 PM CDT.
Installed Packages
python3-psutil.x86_64                                                       5.4.3-6.fc29                                     @fedora

Use the above workaround if needed until then.

@scottalanmiller said in Make Simple User Passwords:

Ever need to make passwords for users and, let's face it, in the real world a lot of customers demand some pretty silly simply passwords. Using password generators often results in passwords that customers will not (and maybe cannot) use. A ridiculous situation, obviously, but it is reality. Passwords are simply difficult to often pass on to someone.

When generating temporary passwords, having something super strong is rarely very important. But avoiding something too hard to be used is needed. But just making up something non-random or even non-unique is really bad.

What's a compromise?

https://www.dinopass.com/

Yup, here is reality. Sometimes children's tools just make more sense when, well, you can draw your own conclusions.

I use CHBS
http://correcthorsebatterystaple.net/

ZeroTier works on ER-X 2.x

curl -s https://install.zerotier.com/ | sudo bash
sudo /var/lib/zerotier-one/zerotier-cli join YourNetworkIDHere

Backblaze Hard Drive Stats Q1 2019

Dropped to alternate shell with Ctrl+Alt+F2.

sudo dnf group remove "Cinnamon Desktop"
sudo dnf group install "Cinnamon Desktop"
sudo dnf group remove "Deepin Desktop"
sudo dnf group install "Cinnamon Desktop" # this installed 26 packages
reboot

Cinnamon Desktop usable again

Found this today.

Thoughts on content ownership and long, meaningful discussions

By @julian

What do you do beyond disable root and require keys? Anything?

Normally, this is all I do with /etc/ssh/sshd_config

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

This is for a system with port 22 available on the public internet. Obviously fail2ban is in place.

This is my typical bundy_jail.local sshd section.

[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
action = %(action_mw)s

You certain can do this.

Use whatever your preferred BitTorrent client is.

Put your files where you want them in system one.

Crate a new torrent in the client with all of the files. Or a torrent per file or whatever.

Save the torrent file and start seeding.

Distribute the torrent file to systems two through X and start downloading.

The process will speed up as each system gets pieces.

Migrate FSMO to DC2, Demote DC1, Disjoin DC1 from domain, Shutdown DC1.

Cleanup DC1 references.

Spin up new DC3 using IP of DC1.

I don't even bother to try anymore.

• Make a copy outside of sync location.
• delete form sync location and hidden sync location
• make sure folder in solid sync
• put file back

Well, the month rolled, and so I now have a report.

The tenant report is awesomely detailed for those that actually care about sending something on to a client.

In my use case, the client just needed location specific break out, so I only care about the totals. But OMFG the awesomeness of the numbers....

Great work on this part @Skyetel

@Dashrender said in TPM module - what is it used for?:

@black3dynamite said in TPM module - what is it used for?:

I know with a Windows 10 desktop using Bitlocker, TPM makes it possible for us to not have to enter a password to boot into Windows. I do believe Hyper-V also utilize TPM has well.

Not using a password to unlock the TPM seems to make that situation almost, I'm saying almost, pointless.

No, the point is to tie bitlocker to that physical hardware. That is not useless.

If you pull the drive, then you will not be able to decrypt it. It is not supposed to be the be all, end all of security.

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

Hmmm...is this an option...? https://www.tnsr.com/

An option in general? Sure, it's just a vRouter that does IPsec. I'm sure it is good, but you can't run it on an EdgeRouter because it's an OS.

One would have to switch to pfSense if TNSR is a viable option.

I guess the real question I'd have is... why? What about TNSR makes it interesting in any way? Aren't you just looking at replacing tried and true, built in IPSec implementations with this complicated package that is just repacking OpenSwan?

I'm confused what you are trying to achieve. Connecting 5+ sites is the absolute clear use case for normal everyday IPSec on your outside hardware router. This is as "by the textbook" as it gets.

Can you use other VPN tech for this like OpenVPN, yes. Should you? Not really, it has no benefits to you. IPSec is best for this for speed, support, ease of use.

This is not a case where ZT has applicability unless you have needs that haven't been mentioned. Same with TNSR, what would this do other than make simple IPSec really hard and complicated for no reason?

This feels like one of those Aaron threads where he's captivated by all kinds of shiny product pages and misses that he's trying to do something very straightforward that is handled best by the tools that everyone uses for this every day. I'm missing what is driving the attempt to research new, hip, flashy products as none of them seem to bring anything to this particular table.

The claimed speeds is what caught my attention.
TNSR "claims" they can do High Speed Site-to-Site IPsec VPN
"TNSR provides secure high-speed routing solutions at 1, 10, 40, 100 Gbps, and beyond - at a fraction of the price of alternatives."

Any vRouter should be able to do this though. All you need for any IPSEC solution is enough offloaded processing power to handle the chosen encryption level.

If you don't care what IP your guest network shows to the public, you should be able to do this.

You should simply need to create a source NAT rule for the traffic.

At various locations, I have fiber services delivered without an ISP router from the carriers. Part of that service is also a /29 block of IP addresses.

What I do in those instances is put the /30 public IP that would normally be on the ISP router on my router, then I create source and destination rules to handle the traffic.

ISP Assigned Router IP: 123.123.123.190/30
Routed IP block: 123.122.122.138/29

eth0 = WAN 123.123.123.190/30
eth3 = LAN 10.200.0.1/23
eth3.10 = Public Wifi 10.200.10.1/24

set interfaces ethernet eth0 address 123.123.123.190/30
set interfaces ethernet eth0 description 'AT&T FIber'
set interfaces ethernet eth0 duplex full
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 speed 100
set interfaces ethernet eth3 address 10.200.0.1/23
set interfaces ethernet eth3 description 'LAN'
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 firewall in name LAN_IN
set interfaces ethernet eth3 firewall local name LAN_LOCAL
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth3 vif 10 address 10.200.10.1/24
set interfaces ethernet eth3 vif 10 description 'Guest Wireless'
set interfaces ethernet eth3 vif 10 firewall in name Public_WiFi_IN
set interfaces ethernet eth3 vif 10 firewall local name Public_WiFi_LOCAL

Note that I do not assign the routed block to any interface.

Some firewall rules to prevent talking and such..

set firewall group address-group 10_0_0_0_8 address 10.0.0.0/8
set firewall group address-group 10_0_0_0_8 description 'Entire 10.0.0.0/8'
set firewall group network-group Public_WiFI_LAN description 'Public WiFi LAN'
set firewall group network-group Public_WiFI_LAN network 10.200.10.0/24
set firewall name Public_WiFi_IN default-action accept
set firewall name Public_WiFi_IN description 'Public WiFi in to other interfaces'
set firewall name Public_WiFi_IN rule 10 action accept
set firewall name Public_WiFi_IN rule 10 description 'Allow response to existing connections'
set firewall name Public_WiFi_IN rule 10 log disable
set firewall name Public_WiFi_IN rule 10 protocol all
set firewall name Public_WiFi_IN rule 10 state established enable
set firewall name Public_WiFi_IN rule 10 state invalid disable
set firewall name Public_WiFi_IN rule 10 state new disable
set firewall name Public_WiFi_IN rule 10 state related enable
set firewall name Public_WiFi_IN rule 20 action accept
set firewall name Public_WiFi_IN rule 20 description 'Allow access to gateway'
set firewall name Public_WiFi_IN rule 20 destination group address-group ADDRv4_eth3.10
set firewall name Public_WiFi_IN rule 20 log disable
set firewall name Public_WiFi_IN rule 20 protocol all
set firewall name Public_WiFi_IN rule 30 action drop
set firewall name Public_WiFi_IN rule 30 description 'Block all other access to private networks'
set firewall name Public_WiFi_IN rule 30 destination group address-group 10_0_0_0_8
set firewall name Public_WiFi_IN rule 30 log disable
set firewall name Public_WiFi_IN rule 30 protocol all
set firewall name Public_WiFi_IN rule 40 action drop
set firewall name Public_WiFi_IN rule 40 description 'Block all SMTP'
set firewall name Public_WiFi_IN rule 40 destination port 25
set firewall name Public_WiFi_IN rule 40 log enable
set firewall name Public_WiFi_IN rule 40 protocol tcp
set firewall name Public_WiFi_LOCAL default-action drop
set firewall name Public_WiFi_LOCAL description 'Public WiFi in to router'
set firewall name Public_WiFi_LOCAL rule 10 action accept
set firewall name Public_WiFi_LOCAL rule 10 description 'Allow DNS'
set firewall name Public_WiFi_LOCAL rule 10 destination port 53
set firewall name Public_WiFi_LOCAL rule 10 log enable
set firewall name Public_WiFi_LOCAL rule 10 protocol udp
set firewall name Public_WiFi_LOCAL rule 50 action accept
set firewall name Public_WiFi_LOCAL rule 50 description 'Allow pings'
set firewall name Public_WiFi_LOCAL rule 50 limit burst 1
set firewall name Public_WiFi_LOCAL rule 50 limit rate 62/minute
set firewall name Public_WiFi_LOCAL rule 50 log enable
set firewall name Public_WiFi_LOCAL rule 50 protocol icmp

Then I use NAT rules to specify how it routes out. I do not have a destination NAT rule here because there is no inbound traffic allowed. the NAT translation should handle the return traffic.

In your case, you could just tell it to use the IP on the WAN interface instead of some other IP.

set service nat rule 5995 description 'Outbound Public WiFi LAN Traffic'
set service nat rule 5995 log disable
set service nat rule 5995 outbound-interface eth0
set service nat rule 5995 outside-address address 123.122.122.140
set service nat rule 5995 protocol all
set service nat rule 5995 source group network-group Public_WiFI_LAN
set service nat rule 5995 type source