Best posts made by NashBrydges

So many attorneys on mangolassi. I’m impressed

So, on the heals of my last thread, I wanted to at least spend some time upgrading some of my Linux VMs to 16.10 and am running into an issue. When attempting to run the do-release-upgrade, I am getting this error...

Err Upgrade tool
  403  Forbidden [IP: 91.189.88.162 80]
Get:1 Upgrade tool signature [836 B]
Fetched 836 B in 0s (0 B/s)
WARNING:root:file 'yakkety.tar.gz' missing
Failed to fetch
Fetching the upgrade failed. There may be a network problem.

Now I know that's not my IP. I've also just completed apt-get update so network connects out ok. Not sure what would cause this error. It is the same error I get no matter which VM I attempt it on if it is running 16.04, it won't allow this upgrade to run. I've also made sure that Prompt=normal in /etc/update-manager/release-upgrades.

Any ideas?

@nadnerB said in Random Thread - Anything Goes:

Rickrolled! lol

@JaredBusch said in NextCloud / Owncloud User registration:

@JaredBusch said in NextCloud / Owncloud User registration:

Might be a way to restrict it to certain domains or something.

Yup,

FYI...this function does not work out of the box. Once you enter the domain name to restrict registration and log out and back in, all settings have been reset.

I've figured out a workaround that allows me to manually add the allowed domains in the database directly and then fix the forms so that the field values can't be changed by another admin (or by me accidentally). This has been listed as an issue for nearly a year and this was the only way I was able to stem the tide of spam registrations. Have a look here for the workaround...

https://github.com/pellaeon/registration/issues/44

Hi All,

I am one of the (un)lucky bunch to have used StartSSL certs to secure my ScreenConnect webserver. Now that Google no longer recognizes those, I have clients who are getting a message that this website is insecure. I'd like to use Let's Encrypt but ConnectWise hasn't bothered to get off their ass to allow this so I'd like to setup either Nginx or Apache to serve as a proxy so that I can leverage Let's Encrypt.

I have no experience in this setup and much of the documentation I find online (my google-fu is failing me) seems to be woefully outdated, not to mention that not having done this before, I'm hoping to find something pretty detailed. Here's what I'd like to do...

I have a new, fresh install of ScreenConnect setup on a Ubuntu server. I've tested it in its native config and everything works using the standard 8040 and 8041 ports.

Can anyone point me to good documentation on how to setup Apache or Nginx as a reverse proxy? The aim here is that it will only serve to allow the use of Let's Encrypt for certs so the plan is that I only need to secure the web portal. If I understand this correctly, the certs will secure the proxy on port 443 and it will redirect traffic to the standard port 8040 internally.

Btw I'm really hoping to find documentation that will describe the process in enough detail for a newbie. I like to figure these things out for myself a bit. It's one thing to have someone give you a step by step instruction manual but I also would like to understand what's happening so I can reproduce this later if needed.

Thanks Scott. The error was because of the include ssl.conf; reference. I removed this line and now it connects and HTTPS is enabled. All seems to work. I'll have to test some more but...awesome! Thanks for your help!

@wirestyle22 No, meaning I wanted all transcoding to happen on the SSDs. Had I installed the VM on the R510, I would have had the VM's vhdx on rotating platters in RAID6 so I didn't want that to get in the way of potentially resource intensive activity like transcoding. By placing the VM on the host with the SSD array, I'm leveraging that additional speed without worrying about transcoding running into some bottleneck.

If you're looking for free options as well, try here.

https://85ideas.com/plugins/best-google-analytics-plugins-for-wordpress/

I'd love to see a category created for all of these how-tos. I'm seriously running an ever growing bookmarks list and would love to be able to just refer to a category to look for these.

This outbound campaign tracking analytics is just like what MailChimp would give you. It's a pretty cool tool to have for anyone who is doing outbound email campaign work although I didn't notice specifics around handling opt-outs and no-contact lists which pretty much places it out-of-scope for external marketing.

Also, if the intent for this was outbound marketing to external recipients, if the URL redirection doesn't allow for whitelisting of domains, someone could spoof one of your campaigns, and use to redirect URL to anywhere they want, all using this handy little server.

For internal, same domain outbound email tracking and reporting, this could be very useful. But I've seen disasters from other tools with similar functions that didn't take into account a lot of CASL requirements (Canada).

Could make for a cool internal project though.

For indoor use and at those distances, @coliver may have the best idea. But each mesh hop drops bandwidth by about 50% so keep that in mind.

While I love cable pr0n as much as the next guy, I'd never setup an environment where replacing a single cable would be an all-day adventure. Velcro is the only cable tie that I find acceptable.

"Home" lab is 10U at 3z colo.

2 x Dell R510 (Starwind)
1 x Dell R420
1 x Dell R620
1 x Dell R230
2 x Dell R210ii (Sophos XG in HA mode)
1 x Unify 10G switch

Running:

• Plex (35TB)
• Fastvue
• FreeePBX
• Kimai
• mFI Controller
• Minecraft
• Nextcloud
• Odoo
• Piwik
• Snipe-IT
• Taiga.io
• Unifi Controller
• Wordpress with various sites
• Wekan (client testing it out)

As the subject states, as I've become more familiar with Linix over the last few months, I started with simple Apache servers, then included SSL through Let's Encrypt for a single server, then found myself running multiple servers in this config. I then began incorporating Nginx along with SSL which brings me to now.

I'd like to setup a single Nginx VM to serve as proxy and manage all of the SSL certs for all web servers (currently running 7). They're all low traffic for internal team or a few clients and I'm likely to introduce other servers in the future as I find more and more things I want to test/try.

Are there any gotchas when setting up this way? Are there well known applications that will require SSL certs on both the proxy and the web server? Should I protect the connection between Nginx and all web servers anyway? They're all running on the same Hyper-V host so there's no concern for traffic going between Hyper-V hosts or to other services. Assuming it'll be easier to manage individual vhost files instead of one large one since each can be setup for one web server.

Really just looking for best practices here and/or any hints you might have that might simplify my life.

@jenny_co said in Anyone Looked at HubSpot CRM:

I had an opportunity to work with Hubspot and what I want to say is that it's quite easy-to-use. The interface is user-friendly and a huge advantage it provides is that you can try it for free but for limited basical functionality.

If you started using Hubspot the one more useful thing is Call Tracker for Hubspot CRM

That's 2 of your 3 posts so far that mention Call Tracker. Smelling a theme here. You wouldn't happen to be associated with said product would you?

@rojoloco said in Anyone Looked at HubSpot CRM:

@bigbear said in Anyone Looked at HubSpot CRM:

@rojoloco Yeah I mean the fact that it had MangoLassi in the bit.ly link, which was picked by the creator. But the Ghetty Images use for profile pic probably did it in.

Can't blame anyone for hussling. Just make a post "Please try my product" and maybe pay for an add on the ML sidebar rotation.

I will always publicly call out these secret vendors/marketers/sales d***. Every time I see them. F*** that noise. They can peddle their bullshit elsewhere.

I'm ok with peddling, just be up front about it. Doesn't serve them when they get called out. Everyone has to make a living just hate when someone tries to deceive me.

@fateknollogee said in Do you use Guacamole?:

@nashbrydges I'm interested. You have any how-to-install notes?

I can't take any credit for these but I used the install script here with a fresh Ubuntu 17.04 install and it worked flawlessly.

https://www.chasewright.com/guacamole-with-mysql-on-ubuntu/

He also has one for a CentOS7 install somewhere on his site.

My Nginx proxy runs on a separate VM but the conf file for that looks like this.

server {
   listen 80;
   server_name mydomain.ca;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name mydomain.ca;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  #Had to comment out the line below as the CSP policy broke functionality.
  #add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://192.168.100.79:8080/guacamole/;
       #The line below is required because Guacamole is essentially streaming so buffering would get in the way
        proxy_buffering off;
        proxy_redirect off;
        access_log off;
        proxy_cookie_path / "/; secure; HttpOnly";

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
   
}

One additional note that took some Googling. If you're going to remote into a Win 10 desktop, you not only need to disable the NLA checkbox but you also need the following registry change.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

Change the value from a 2 to a 1 for the following key

"SecurityLayer”=dword:00000001

So far it seems exceptionally smooth and way better than using my Sophos XG HTML5 RDP function. Not to mention I can run all of it through the proxy and manage SSL via Nginx which I can't do through Sophos XG.

@travisdh1 said in Do you use Guacamole?:

fail2ban can handle it, tho some issues with rule matching happens according to the Google search I just did. https://www.jimwilbur.com/2016/08/fail2ban_guacamole/

Fail2ban now appears to be blocking failed attempts.

Using your link, I noticed catalina.out wasn't capturing failed logins so I created a blank file at /etc/rsyslog.d/tomcat.conf and then restarted rsyslog.

The regex wasn't working and the link didn't have the proper regex to use so a little search brought me here.
https://www.cb-net.co.uk/linux/debian-8-6-proxy-guacamole-via-nginx-using-https-and-fail2ban/

About 3/4 of the way down, the correct regex is shown as follows.
failregex = \bAuthentication attempt from [<HOST>(?:,.*)?] for user ".*" failed\.

Restarted Fail2ban confirmed that the regex would work
fail2ban-regex '/var/log/tomcat8/catalina.out' /etc/fail2ban/filter.d/guacamole.conf

I tried to login using an incorrect user/pwd combo. Sure enough, the outcome was this (masked IP address).

nashbrydges@guacamole:~$ sudo fail2ban-client status guacamole
Status for the jail: guacamole
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- File list:        /var/log/tomcat8/catalina.out
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   xxx.xxx.xxx.135

@jaredbusch said in Installing Debian 9.1 minimal:

@scottalanmiller said in Installing Debian 9.1 minimal:

I'm liking Debian more and more as I use it. However the install process has a ridiculous number of screens.

You can choose a different install method and should see fewer screens. My guides are not for the advanced users though.

The less advanced users thank you profusely for that.

It's official, I'm NEVER getting through my to-do list. Must stop coming here. Lol