@notverypunny said in Tactical RMM:
but I was unaware of the whole monero issue https://www.reddit.com/r/msp/comments/rqm0go/a_statement_from_the_founder_of_tacticalrmm/
There is no issue. This is just BS stuff. It's not a thing, you weren't aware because it's not a real issue.
@travisdh1 said in Tactical RMM:
@notverypunny said in Tactical RMM:
Is there a general consensus with regards to the "appropriateness" of using Tactical in a production setting? I've setup a quick install to test and evaluate but I was unaware of the whole monero issue https://www.reddit.com/r/msp/comments/rqm0go/a_statement_from_the_founder_of_tacticalrmm/
Given the increasing costs of everything we're being asked for possible ways to cut opex but wouldn't want to put my head on the chopping block in the event that things go south.
There was no monero issue, unless someone screwed up by the numbers.
What other RMM are you able to audit the code for? All the closed source ones are generally even worse.
And I like that I can run it on my own system. Not worried about a vendor getting compromised through other clients or whatever. I can lock TacticalRMM down however makes sense for me.
@Pete-S said in Production KVM server "hardening"?:
Thanks! My intention was to put the management network behind a VPN - with MFA for human access.
We go farther and don't enable SSH. We use reach out, rather than reach in. It's more secure, extremely hard to attack.
@Pete-S said in Production KVM server "hardening"?:
VPN is used to get access to the private network. Servers are not accessible from internet.
This is the part that is weird. Like.... if we look at it from the outside, it's the same...
Step One: Access exposed port
Step Two: Access server
That behind the scenes it's a private network is irrelevant to someone attempting to access it. In both cases it's a published port that is heavily locked down with encryption and MFA. If you want, you can call the SSL layer of SSH a VPN (it literally is, in every sense) and you can call the inside of that tunnel a private network (it is in any meaningful sense) and voila, the two thigns are the same other than the double encryption which isn't "bad" but isn't beneficial either (typically.)
A bit of pain, no gain. But putting on my security auditor's hat.... it's a bit of "making people annoyed at pointless security" which is, itself, a huge security hole that creates risk. When you make security too onerous, and especially if there is no security justification for it, you typically create both a business need and an emotional desire to circumvent the security.
@Fredtx said in Does block level sync exist?:
My concerns is if this was a major disaster recovery situation such as the building catching on fire, we would be dead in the water. Especially if those files/folders were sensitive data.
If data integrity matters, block level is definitely not where you should be. You need application level awareness. That's a fundamental of backups (see my book on the subject, lolololol, no but seriously, I cover this in the book.)
@Pete-S said in Production KVM server "hardening"?:
My primary concern right now is if there are any special configuration needed to run pure minimal linux KVM virtualization hosts in production in a responsible manner.
Nothing too specific. Very much just general Linux hardening which is just general systems hardening.
@Fredtx said in Does block level sync exist?:
@scottalanmiller said in Does block level sync exist?:
@Fredtx said in Does block level sync exist?:
Block level synchronization would not be possible here as the data is compressed on the receiver but not the sender and the appliances are receiving data from different senders; the blocks would not look the same."
That would cause some amount of problem, yes. If they were compressing in the right place, though, it would not. This is a design flaw, not a data integrity flaw.
Here's an article on how their replication works. How offsite replication works barracuda backup
It says:
"When data is transferred offsite, it is further deduplicated by checking to see if the file part already exists on the offsite replication destination. If the part does not exist, the part is compressed, encrypted using 256-bit AES encryption, and transferred to the replication destination. If the part already exists on the offsite replication destination, the part is simply dropped and not transferred offsite."From what I see. The backup (vm and agent level) of the servers to the Barracuda appliance (local server linux box) is application aware, but the offsite replication is not.
Dedupe, not compression, would be pretty simple to test if files are the same. Sounds like they are just lazy.
FYI: I'd never use barracuda stuff. These are the guys who had a fully open back door in their FIREWALLS open to the public. They are definitely a vendor I would never consider for anything critical. Email filtering, I suppose. But why do you have them for backups?
I do backups for financial systems, for example. And we always explain "well, we can quiesce the database and ensure that database is not corrupt, but we can never know if the database has been given quiesced application data because only the developers can tell us that".... and 99% of the time, the devs don't even know themselves and never accounted for needing to make the application safe to back up at all!
When I have my application developer hat on, we make our applications to have their own backup tools, because it's literally the only safe way to know you are getting good backups of a live system. The only. Full stop. If our customers were to buy backup software, it would be so goofy... because it would be extra effort to be less safe.
@Fredtx said in Does block level sync exist?:
I'm trying to get our divisions backup process in order, and looking at how everything is done, and why is it being done like the way it is, and if it's even working like it's supposed to.
Honestly, if your PARENT company doesn't understand backups, just get them to sign off that doing what they do is good enough and don't make this your problem. If you want to get into backup theory and how to truly protect data it will...
There's no upside to you.
@Fredtx said in Does block level sync exist?:
Barracuda backup is application aware for things like SQL and AD. Which takes a copy of the files, and puts it on the backup appliance (linux server)
Right, which is just a fancy way of saying it uses VSS. Everything does that, that's not considered application aware, because absolutely everything has that level of awareness - the agent that has the awareness is part of the OS. Barracuda isn't aware of any third party applications, including those that run on top of MS SQL.
@Fredtx said in Does block level sync exist?:
@scottalanmiller said in Does block level sync exist?:
Right, which is just a fancy way of saying it uses VSS. Everything does that, that's not considered application aware, because absolutely everything has that level of awareness - the agent that has the awareness is part of the OS. Barracuda isn't aware of any third party applications, including those that run on top of MS SQL.
Yea, I'm aware it uses VSS. I thought that's what you were referring to when talking about application awareness. But looks like you are referring to something else that I have a lack of knowledge or understanding on.
VSS is application aware, just one only one or two applications that we rarely care very much about. It's not aware of YOUR applications, but it knows about SOME applications. In a world of hundreds of thousands of applications, it probably knows a few dozen and that's about it. Nearly all are MS applications like AD and Exchange. That's about it.
In all these years, I've never once run into any application outside of the stock MS apps that any vendor took the effort to be application aware of natively out of the box for a general purpose backup software. It's just impossible to address everyone (let alone anyone's) needs, so there's no point in pretending.
@Fredtx said in Does block level sync exist?:
This design is "supposed" to adhere to the Backup 3-2-1 rule, but I guess technically it does not since the barracuda appliance (where local backup copies of servers resides) is replicating to another appliance at the block level. It's only hoping all the data is copied to the offsite storage.
If it was replicating for real, it could be verified with checksums. Everyone else that does this can do that.
@garak0410 said in Camera Server Can't Ping Network Device:
Any suggestions on what the cause could be?
Is the subnet set correctly on each device?
@Fredtx said in Does block level sync exist?:
@scottalanmiller Let me clarify. I want to make sure the "good" backups are copied to the offsite storage. So if the building were to catch on fire or something, and the good copies are destroyed. I would want to be able to restore from the offsite storage. In my case, some of the data was missing from the offsite storage that should have been replicated from the local "good" backup. Not sure what happened, and why it was not copied over, but it did not. I figured there would be some kind of sync mechanism that would have caught that ahead of time, which Barracuda said there is no such sync. That is why I reached out to the community.
We understand. And that's important because clearly your sync failed. It's just that it also exposed the fact that the original backups are not application aware (unless there is no application) so something that you should see as a very, very large issue. If you are responsible for the backups, that is. Otherwise, not your monkeys, not your circus.
@openit said in SUSE Manager for managing CentOS and SUSE servers.:
I believe SUSE Manager kind product I'm looking, especially for patching CentOS and SUSE servers.
Patching isn't something you need much for. That's the most basic of tooling and pretty universal. What kind of product are you looking for?
They are rarely important. The only major use of them is as one additional layer of spam protection, but a VERY minor one.
Where you see them used a lot is things like a traceroute. That's what allows you to identify the hops along the route.
@pmoncho said in POTS line replacement:
Our POTS line pricing was bumped again and with a call to AT&T we found out that there as a "newish" service AT&T Phone for Business Advanced. This service is suppose to be the replacement for specialty analog lines like Security/Fire Systems, elevators and such. The cost with 3-5 lines is significantly cheaper than our current bill.
It POTS is a requirement, then obviously this isn't an option for you. If this is an option (to leave POTS), why not leave to a business class modern phone system?
First rule of phones: rule out your local infrastructure provider as a potential candidate. It's the one company it is never safe to use.
@gjacobse said in POTS line replacement:
I don't know about other ATAs... but the carriers here seem to love to update / change the protocols and burn us on faxes..
Faxes are basically free. If you are using ATAs or other antiquated fall back systems to do fax (or really, faxing at all) the vendors know you have no IT oversight in charge or are totally screwed and over a barrel. That means, guaranteed, that providing a good service or a good price has NO value to you as a customer. By needing that kind of stuff, you are informing the vendors that you are absolutely willing to pay through the nose because there are free, secure, easier ways that replaced faxing decades ago. If you could move off of faxing, obviously you would. So there's something causing you to be stuck. So obviously they are going to charge a LOT and put zero effort into making it work. And if that's not good enough for their customers, they are free to not use fax. That they continue to use fax means, beyond a shadow of a doubt, that the cost and complexity of fax is still determined to be a good value by whoever is the decision maker.
@pmoncho said in POTS line replacement:
@Pete-S said in POTS line replacement:
@pmoncho said in POTS line replacement:
We also have a call into our Security/Fire Alarm company on the costs of a replacement alarm system is and if it can work over cellular. We will then see which will have the best ROI depending on years of service.
It's highly unlikely that you need to replace the alarm system, as most commercial security systems can be expanded with different modules. Moving from POTS to IP or cellular is very common.
It's also very possible that your alarm system will not work over your AT&T ATA (POTS emulation). Some alarm systems don't use the same signaling as a modem or fax would.
I found the manual online and this is the section describing the transmitter itself.
"Digital Alarm Communicator/Transmitter
Two modular phone jacks allow easy connection to telephone lines. Modular jacks are labeled PH1 for Primary Phone Line and PH2 for
Secondary Phone Line. Two telephone line active red LEDs are provided as well as a green Kissoff LED. The integral digital communicator provides the following functions:
• Line Seizure: takes control of the phone lines disconnecting any premises phones
• Off/On Hook: performs on and off-hook status to the phone lines
• Listen for dial tone: 440 Hz tone typical in most networks
• Dialing the Central Station(s) number: default is Touch-Tone, programmable to rotary
• For tone burst or touchtone type formats: discern proper Ack and Kissoff tone(s). The frequency and time duration of the tone(s)
varies with the transmission format. The control panel will adjust accordingly.
• Communicate in the following formats:
Ademco Contact ID
SIA-DCS-8
SIA-DCS-20"With regards to signaling, this is the only thing that stuck out to me.
Signalling is typically okay. That can be emulated or encapsulated.
@pmoncho said in POTS line replacement:
I was pushed to the local infrastructure company. No one else will provide POTS to our building.
That's by definition. POTS can only be provided by the local infrastructure company. Violating the first rule of telephony. Whoever pushed you there made all of the decisions, all. There's no "shop around", there's no "evaluate needs", it's just "do this thing, but I'll tell it to you in a round about way."
POTS is never an appropriate answer to business (or home) telephony. It had a time and place, but that ended decades ago. And that's before we even talk about it as a legacy technology that should be ruled out on tech grounds. Then comes the financial discussion and why businesses would never entertain POTS because of the cost and lack of appropriateness to profits. There's no angle where POTS should be allowed into a list for consideration.
I understand, someone high up simply made the decision end to end and that's it. But it wasn't a business decision, it was an emotional one (or worse) to satisfy something that doesn't make sense in a business setting.