Best posts made by NashBrydges

Tenet, after I finish History Of Swear Words.

@frodooftheshire The link states "Use your on-premises Windows Server licenses that include Software Assurance to save big on Windows Server VMs in Azure." I don't believe Action Pack licenses do. At least, not at the Silver level. If anyone knows otherwise, please chime in.

@DustinB3403 said in Transfer Large File To Host = GOOD Transfer Large File To VM File Server On Same Host = BAD:

Also generally speaking you don't want to enable jumbo frames without reason as it can lead to weird issues. Do you know what reasoning there was / is to have this change in place?

I've made the recommendation to try turning off jumbo frames when I first took the client on and they did a few tests with no changes in performance so rather than change every PC and server and switch, they decided to keep it on (they had only tested turning it off to see if there was a difference).

@minion said in Transfer Large File To Host = GOOD Transfer Large File To VM File Server On Same Host = BAD:

@momurda said in [Transfer Large File To Host = GOOD Transfer Large File To VM File Server On Same Host = BAD]

11ms is high for a local ping.

Very high. Everything here is less then 1ms.

Agreed, which is why I'm leaning towards there being something up with the VM, especially since transfers to and from the host are perfect. At a loss for where to look next as I've eliminated the usual suspects.

I've been trying to setup a Nextcloud instance and was ideally looking to setup on Vultr but their storage instance locations have all been sold out for many weeks now. Does anyone have any recommendations for alternatives that they've had good performance with? Preferably with pricing that is similar to Vultr's? I think ideally I'd want 250GB to 500GB, 1vCPU and 2GB RAM.

@scottalanmiller I've had the worst luck with Netgear over the years. Too many failures. Sure their lifetime warranty is great but it's a pain in the ass when they fail. On the other hand, I've had great luck with Ubiquity and Dell switches.

@dafyre Yes it does, but Decks is much too elementary. Doesn't have time tracking. Doesn't have ability to add comments or attachments. Doesn't have ability to create parent/child tasks (create task dependencies)...etc. I'm enjoying Taiga right now with the team. Even allows me to track issues right within the board. It's missing the time tracking element though and still not sure it does task dependencies well. Kanboard was another I tried but I can't create detailed custom roles I really wanted. As I'm testing Taiga.io and comparing to Kanboard, I may end up going back to Kanboard. Integrates with Mattermost which is pretty awesome.

I just setup a guacamole VM on my Hyper-V host and after some fiddling with the Nginx conf file, I was able to get the portal to work through the proxy. Awesome! Now the paranoid side of me kicks-in and probably unnecessarily. I've created a 40 character password to log into Guacamole along with a 30 character password for the subsequent Windows password. Wondering if anyone has ever heard of any security holes or issues with Guacamole that would make you re-think exposing it to the web even with SSL and long, complex passwords.

Is it time to put my tinfoil hat away? I realize that's what it was designed to do.

@stuartjordan said in Do you use Guacamole?:

Its very good, I have installed and used many times, would be nice to have a feature to limit the amount of login attempts or google Captcha.

I wrote a custom Fail2ban block script for a web app I had designed for a friend. Do you know where the access logs would be stored for Guac? I might be able to create something similar to use Fail2ban for.

@brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@nashbrydges seems like they would be able to put their equipment in bridge mode for you.

They refuse to let that happen too. They tell me that if in bridge mode, the iptv will fail. WHat I really wanted was for them to enable the second network connection on the ONT but they won't do that either. sigh. I'd switch to another provider if I wasn't already adicted to the Gb speed.

I don't trust ANY shortened URL, even if it is from social media company I follow. Nothing to prevent some account takeover/compromise from posting a bad link so in each and every case, I unshorten the URL. Even if it is a company I trust and the link destination looks suspicious (ie: to some domain that doesn't seem to be associated with the company in question), I won't click on it. I also try to train everyone I know to do the same. I'm sure most don't.

@scottalanmiller said in Looking for virtualization advice:

I'm a bit partial to Restoronix here, for obvious reasons.

I'm not sure I'd say that your bias for Restoronix is obvious. While after some digging around on the site I'm sure someone could find the reason, but to ensure transparency, this is a case where I'd say a flat out disclaimer of your role with Restoronix should be required each and every time you make the recommendation. Many others on the site (if not most) carry the "Vendor" tag when they participate to highlight this where in this case, you do not.

Btw, Restoronix may be the perfect solution, I'm not saying it isn't. But representing your product you may want to consider avoiding even the appearance of conflict.

For the OP who joined only a few days ago: https://www.mangolassi.it/post/324872

Ok, I just found a ridiculously simple way of doing this. I'll post the how-to in a different thread.

In a previous post, I was looking for a way to allow access to a website behind a Nginx proxy based on a dynamic DNS domain. I had already set the allow/deny statements in the config file for the IP ranges assigned to the company, now I just needed a way to also allow access for the CEO from home when he has a dynamic IP.

The beauty of this, for this setup, is that I can allow access from within the config file "location" and this could be different for each of the domains configured on this Nginx instance.

Btw, credit where credit is due.
https://blog.zencoffee.org/2013/12/dynamic-dns-filtering-nginx/

First, here is the config file before with the allow/deny rules for the IP ranges. This company has 2 sets of assigned IP ranges.

server {
   listen 80;
   server_name domain.ca;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.ca;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  add_header Content-Security-Policy "default-src" always;
  add_header X-Frame-Options SAMEORIGIN;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/domain.ca/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain.ca/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
    	allow 192.168.1.0/24; #obviously not the real IP range but represents IP range 1
        allow 192.168.2.0/24; #obviously not the real IP range but represents IP range 2
        deny all; #deny all other IPs
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://192.168.100.61;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

Step 1:
I created a new file at /etc/cron.daily/ and named it getddns

Step 2
Added this code to the new file

#!/bin/bash
host mydynamicdomain.ddns.net | grep "has address" | sed 's/.*has address //' | awk '{print "allow\t\t" $1 ";\t\t# DDNS IP" }' > /etc/nginx/conf.d/homeip.inc
service nginx reload > /dev/null 2>&1

This will get the IP address for the DDNS domain and inserts it into a file named "/etc/nginx/conf.d/homeip.inc", then reloads Nginx.

Step 3
Make the new file executable

sudo chmod +x /etc/cron.daily/getddns

Step 4*
Change the config file to include the new homeip.inc file which contains the allow statement for the DDNS domain. You can see the new line in the "location".

server {
   listen 80;
   server_name domain.ca;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.ca;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  add_header Content-Security-Policy "default-src" always;
  add_header X-Frame-Options SAMEORIGIN;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/domain.ca/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain.ca/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
        include /etc/nginx/conf.d/homeip.inc; #THIS IS THE NEW LINE
    	allow 192.168.1.0/24; #obviously not the real IP range but represents IP range 1
        allow 192.168.2.0/24; #obviously not the real IP range but represents IP range 2
        deny all; #deny all other IPs
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://192.168.100.61;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

That's it. Now the allow/deny rules will be updated once an hour with any changes to the dynamic IP address.

This is scheduled to run every hour but could be run every day instead if that's too frequent.

The nice thing about this option rather than using the firewall script from @Romo here is that, users can be presented with an appropriate Access Denied 403 page rather than being blocked at the firewall. For a service like the PiHole, @Romo's script makes more sense but for a website, I like the ability to present the access denied page.

Edit: Updated for spelling in title

@mike-davis I've been using JumpCloud on Scott's recommendation from a few months ago. It's worked well for what I needed for my team but I don't have HIPAA requirements.

@black3dynamite said in Using Mattermost or RocketChat in a college environment:

@nashbrydges said in Using Mattermost or RocketChat in a college environment:

Something to keep in mind with Mattermost is that if you plan on using it with attachments, if you delete any message or channel with attachments, the attachments are never removed from the application. You'll end-up with a constantly growing need for space if your use is attachment heavy. That's been confirmed with the Mattermost team. Haven't tested that with Rocket.Chat.

Is Mattermost team working on a fix? Would it be best just blocking the ability to use attachments?

They don't consider it a bug. Here is their response to my question back in August.

https://github.com/mattermost/mattermost-server/issues/7139#issuecomment-320931644

@black3dynamite said in Using Mattermost or RocketChat in a college environment:

@nashbrydges said in Using Mattermost or RocketChat in a college environment:

@black3dynamite said in Using Mattermost or RocketChat in a college environment:

@nashbrydges said in Using Mattermost or RocketChat in a college environment:

Something to keep in mind with Mattermost is that if you plan on using it with attachments, if you delete any message or channel with attachments, the attachments are never removed from the application. You'll end-up with a constantly growing need for space if your use is attachment heavy. That's been confirmed with the Mattermost team. Haven't tested that with Rocket.Chat.

Is Mattermost team working on a fix? Would it be best just blocking the ability to use attachments?

They don't consider it a bug. Here is their response to my question back in August.

https://github.com/mattermost/mattermost-server/issues/7139#issuecomment-320931644

That’s to bad. An option button to purge deleted items would be awesome. We have to manually delete them from the database?

Attachments are saved in folders with the same name as the comment and team it is associated with. The problem is that those are server generated IDs and do not use the team names or anything. What you have to do is figure out what items are orphaned items in the database and delete those folders either one at a time or script the process. It's an ugly, manual process that I haven't even had time to look into automating in any kind of useful way.

@black3dynamite Don't get me wrong, I'm not suggesting that you not use Mattermost. In fact, it's been our choice for my team for a few months. But the issue with attachments is something that I hope they'll address in a future release. For now, we use Alfresco for file management and instead of adding attachments to Mattermost, we use links to Alfresco hosted files instead.

@mike-davis said in running Webroot + Malwarebytes?:

I won't allow the free trial to be installed on client computers, so the paid version would be the only option. I was wondering more if having two products actively trying to scan files would end in contention issues. A manual scan kind of defeats the purpose in my mind.

I run both AV and Malwarebytes on lab equipment and some of my clients and never had a conflict.

For those looking to do this upgrade, the link is no longer valid. Try this one...

https://wiki.freepbx.org/display/PPS/Upgrading+from+FreePBX+10.13.66+to+SNG7