Best posts made by travisdh1

raspberry pi 3 setup and running, my presentation platform is ready

That sounds like a textbook response to finding security issues with your product. If one of my installs went wrong, I'd want to know.

The ones that complained or didn't fix anything could be an issue as it will look bad for NextCloud when they get hacked. You've done your due diligence in informing people and doing your best to inform them. The problem is now not your own, the 'Not My Problem Shield' is now effective.

@thanksajdotcom said in Random Thread - Anything Goes:

@MattSpeller said in Random Thread - Anything Goes:

@thanksajdotcom said in Random Thread - Anything Goes:

@Texkonc said in Random Thread - Anything Goes:

@thanksajdotcom said in Random Thread - Anything Goes:

You are obviously not watching football. They have the best record in the league right now.

Meh, I'm a Giants fan, and Broncos (I was a fan of them before Peyton). So I have to rag on them.

Go sportsball!

Sportsball, sportsball, our team is best in points!

Kalvinball anyone?

For my first blog post in a long time, I've written up a little bit on @scottalanmiller's LANLess network design/thinking. I'll take any comments from the peanut gallery here.

From: https://travisdh1.net/LANLess

First things first, the original idea here comes from Scott Alan Miller. The first presentation on the topic can be seen at https://mangolassi.it/topic/11257/scott-alan-miller-the-brave-new-lanless-future

LANLess - the word.
Yes, the word. It encapsulates an idea. Yes, an idea, nothing more.

LAN - Yes, we're talking about designing a network. Today this means much more than just a local LAN.

Less - Less LAN. Yes, really, that's the whole idea. Less of a LAN.

To get the idea, first let's look at a traditional LAN with some branch offices and remote access.

We can see a number of factors that make life more difficult for all involved here:

The security perimeter is huge, and encompasses every device connected to the network.
VPNs and/or remote access is difficult to do for a number of reasons:
Every device must be secured.
VPNs and/or remote access is a static thing, assigned per device or branch office connection.
Applications can live anywhere, making management more difficult.
Workstations access network services differently depending on where they're located.

Now let's take a look at this "Brave new LANLess world."

A number of things should be immediately obvious here:

The security perimeter is tiny, only encompassing network services.
SSL/TLS is in common use rather than static VPN
While every device is still a security risk, it is now only a risk for the limited amount of data and services that a particular user has access to.
SSL/TLS is just an on-demand VPN. It was originally called SSL-VPN: https://en.wikipedia.org/wiki/Virtual_private_network Basically, we're replacing static VPN with dynamically assigned VPNs.
All applications live within a single (hopefully) easily managed point.
All workstations access the same things no matter where they are located.
That's all great theory, how do I accomplish this?
The first key is to remember that, just because the servers, network servers and such are pictured within the main local LAN, does not mean they need or even should be hosted on-site or by yourself! The quick and easy methods of implementing the LANLess idea are already available in the form of Office365 and G Suite. If you're already utilizing one of these offerings, or a similar offering from another company, then you're already most of the way there.

If you absolutely must host everything yourself, then you have plenty of open source options available. Weather it makes sense to get an entire environment setup, running, and maintained yourself is always a business decision, and frankly doesn't make much sense more often than not. If you must, then I'd look at the following offerings:

Zimbra = Email, LDAP/Single Sign On, Chat, possibly Calendars and Task management
NextCloud = Files and File Shares
Spreed.ME = Video Chat, Meetings, Online Whiteboard
LOO/OnlyOffice = Online document creation, editing, and shared editing. (LOO = Libreoffice Online)
This is what I'm currently working on getting setup in my home lab. I don't see a reason for a business to go through all the hassle of integrating all of this and trying to secure it. The large companies like Microsoft and Google can keep things much more secure than any purely local IT department.

Travis Hershberger

Actually met? None that I remember, besides everyone that made the first MangoCon, you all rock.

Finally got a blog post up on this.

https://travisdh1.net/lenovo

@MattSpeller said in Random Thread - Anything Goes:

@RojoLoco said in Random Thread - Anything Goes:

@travisdh1 said in Random Thread - Anything Goes:

@scottalanmiller said in Random Thread - Anything Goes:

@travisdh1 said in Random Thread - Anything Goes:

@scottalanmiller said in Random Thread - Anything Goes:

@travisdh1 said in Random Thread - Anything Goes:

@Son-of-Jor-El said in Random Thread - Anything Goes:

@Son-of-Jor-El said in Random Thread - Anything Goes:

Another great 1 liner from this guy: "I don't understand why this is so difficult??!!" Well, you've been in the office for 3 hours since Monday. Yeah, I would say it's pretty difficult to fix something when you're not here. Never mind the fact that over 20" of snow had fallen the past 3 days.

No work on Monday, now this dude is sick and I had to reschedule the keyboard replacement until Thursday. Bet he'll use THAT against me too.

Sounds like the beginning of a Doughnut_Destroyer rant from that spicy place.

What did he rant about?

You don't remember those epic rants of his in the hidden spicy pepper group?

How would I? I'm not a Spicy Pepper.

Do tell.

You're like the spiciest pepper they have, did a mod boot you out?

I think he opted out of joining that group.

To be honest it's not one I would join for fun. Only for self promotion / job hunting / networking.

Frankly, their entire community forum doesn't get much of my time at all anymore.

More programming than IT, but still, I think we all get it.

https://lh3.googleusercontent.com/-7xe8JQiU3Wc/Wm-VjbZ3MBI/AAAAAAAAE6w/oxanHMdOZ6sbFRrEeke2zCTYXxmk40jwACJoC/w530-h582-n-rw/javascriptvsjava.PNG

@hobbit666 said in Random Thread - Anything Goes:

I just died a little inside.

@dustinb3403 said in Unifi Video:

@jaredbusch said in Unifi Video:

@dustinb3403 said in Unifi Video:

@jaredbusch said in Unifi Video:

@dustinb3403 said in Unifi Video:

Going to take a quick look at em, do these also work for the outside?

Not yet weatherproof. But they have that in planning accoring to their social posts I found.

Ok, so not the intended goal I had in mind, but for $30 bucks it isn't a bad solution.

I'm seeing a USB cord, I assume this means USB to a power block. Do you like the power options? Any option for PoE?

Strictly powered from USB.

Which would mean where-ever I want this unit I would need to have an outlet within so many feet. Hrm. .

There are inexpensive PoE to USB adapters around you know. I've been using one of these with my RPi3 for around a year now.
https://smile.amazon.com/gp/product/B01MDLUSE7/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

@scottalanmiller interview in Dilbert?

Configure vuls on CentOS 7

Install the epel-release repo package for needed depenencies

 sudo yum -y install epel-release

Install dependencies

 sudo yum -y install sqlite git gcc make wget yum-utils redis nano

Download Go

wget https://dl.google.com/go/go1.10.1.linux-amd64.tar.gz

Extract Go to /usr/local

sudo tar -C /usr/local -xzf go1.10.1.linux-amd64.tar.gz

Setup Go environment

mkdir $HOME/go
sudo nano /etc/profile.d/goenv.sh

goenv.sh should contain

export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

Update the current environment with the goenv.sh information

source /etc/profile.d/goenv.sh

Setup Go CVE dictionary

sudo mkdir /var/log/vuls
sudo chown youruser:youruser /var/log/vuls
sudo chmod 700 /var/log/vuls
mkdir -p $GOPATH/src/github.com/kotakanbe
cd $GOPATH/src/github.com/kotakanbe
git clone https://github.com/kotakanbe/go-cve-dictionary.git
cd go-cve-dictionary
make install

Setup NVD vulnerablility data. This bit took a while on my 1cpu, 1GB ram, 100mb/sec VM. Seems to have spent most of it's time updating the database, so probably I/O bottlenecked in my case (single HDD). Also available in Japanese, see https://vuls.io/docs/en/install-manually-centos.html

cd $HOME
for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done

Deploy the Goval Dictionary

mkdir -p $GOPATH/src/github.com/kotakanbe
cd $GOPATH/src/github.com/kotakanbe
git clone https://github.com/kotakanbe/goval-dictionary.git

Fetch the distribution specific goval scanners. Also officially supports Alpine and Oracle Linux, but I don't use either on my Home Lab box.

1. CentOS/Red Hat

   goval-dictionary fetch-redhat 7

2. Debian

   goval-dictionary fetch-debian 7 8 9 10

3. Ubuntu

   goval-dictionary fetch-ubuntu 12 14 16 18

4. SUSE

   goval-dictionary fetch-suse -opensuse 13.2

Deploy vuls

mkdir -p $GOPATH/src/github.com/future-architect
cd $GOPATH/src/github.com/future-architect
git clone https://github.com/future-architect/vuls.git
cd vuls
make install

Setup and scan localhost

cd $HOME
nano config.toml

config.toml file should be

[servers]

[servers.localhost]
host = "localhost"
port = "local"

Check the config

vuls configtest

Run a scan

vuls scan

The scan will display a one-line report by default. If you want more detailed information, you can use 'vuls tui', or enable the web-based VulsRepo.

VulsRepo configuration

cd $HOME
git clone https://github.com/usiusi360/vulsrepo.git

Run a scan with a report vulsrepo can read

vuls report -format-json

Create the config file and update the PATHs, instructions say to use hardcoded path statements instead of ~ or $HOME.

cd $HOME/vulsrepo/server
cp vulsrepo-config.toml.sample vulsrepo-config.toml

Set the paths according to your environment

nano vulsrepo-config.toml

[Server]
rootPath = "/home/your user/vulsrepo"
resultsPath  = "/home/your user/results"
serverPort  = "5111"
#serverIP = "127.0.0.1"
#serverSSL = "yes"
#serverCert = "cert.pem"
#serverKey = "key.pem"

#[Auth]
#authFilePath = "/home/vuls-user/.htdigest"
#realm = "vulsrepo_local"

Update the vulsrepo.service file with the correct paths as well

nano ./scripts/vulsrepo.service

[Unit]
Description=vulsrepo daemon
Documentation=https://github.com/usiusi360/vulsrepo

[Service]
ExecStart = /home/your user/vulsrepo/server/vulsrepo-server
ExecRestart = /bin/kill -WINCH ${MAINPID} ; /home/your user/vulsrepo/server/vulsrepo-server
ExecStop = /bin/kill -WINCH ${MAINPID}
Restart = no
Type = simple
User = your user
Group = your user group (normall the same as your user)

[Install]
WantedBy = multi-user.target

Copy the service file to /lib/systemd/system

sudo cp $HOME/vulsrepo/server/scripts/vulsrepo.service /lib/systemd/system/vulsrepo.service

Enable the service

sudo systemctl enable vulsrepo

Start the service

sudo systemctl start vulsrepo

Open the firewall port

sudo firewall-cmd --permanent --add-port=5111/tcp
sudo firewall-cmd --reload

I have my instance running behind a reverse proxy that handles SSL. If you don't have a reverse proxy, GET SSL CONFIGURED NOW! vulsrepo.travisdh1.net

Setup basic authentication, so the entier internet can't see all of your vulnerabilities!

/home/your user/vulsrepo/server/vulsrepo-server -m

Password: lots of gobblygook
AuthFile Path	:  /home/travis/.htdigest
realm		:  vulsrepo_local
login user	:  vuls
2018/06/29 16:33:17 main.go:100: Create Success

Update the server settings

nano /home/travis/vulsrepo/server/vulsrepo-config.toml

[Server]
rootPath = "/home/travis/vulsrepo"
resultsPath  = "/home/travis/results"
serverPort  = "5111"
#serverIP = "127.0.0.1"
#serverSSL = "yes"
#serverCert = "cert.pem"
#serverKey = "key.pem"

#[Auth]
authFilePath = "/home/travis/.htdigest"
realm = "vulsrepo_local"

Restart the service

sudo systemctl restart vulsrepo

Add a custom crontab to schedule scans. I set mine to run a scan every day a 1AM

crontab -e

0 1 * * * vuls report -format-json

A few parting thoughts.

If I were to install this again, I'd create a different user for it to run as and install it in /opt. I'd also like to see a lot better security on the web-based viewer than what's currently in place before actually deploying this. I'd also just make all the configuration changes to the config files at once rather than editing the same file 2-3 times.

@wirestyle22 said in Weekend Plans:

My sister is coming to visit this weekend. Should be fun

Both my sisters, brother-in-law, and nephews were in last weekend. My nephews are at those perfect ages right now, 9 months and 3 years. Was a great weekend.

Me with the 9 month old

So, I finally got a base installation working. Took way to long, and I never would've made it this far without @xylems notes from https://mangolassi.it/topic/17493/errors-building-guacamole-server-on-fedora-28/39

This will hopefully be the first of a number of guides on Guacamole, so will be the base I'll be working from in the future. As of right now I'm planning to also do guides on authentication via LDAP and databases.

This base install isn't what I'd call secure for a number of reasons.

1. Passwords are contained in plain text within user-mapping.xml. Authenticating with and md5 hashed password did not work for me, which is probably a good thing if you're familiar with md5. Problem is that I haven't been able to find any documentation on the current hashing method to use in user-mapping.xml.
2. selinux is disabled. I've done some basic troubleshooting, but not been able to correct selinux to allow everything to run correctly yet. The only denials I saw in the audit.log were for ssh, so I suspect that selinux would need settings configured for every protocol you're going to use. For the time being, it's just disabled.
3. ssh is using username/password authentication on the back end. It's recommended to use key-based authentication as normal, but that's beyond this basic walk through.
4. No HTTPS. I'll add a note about putting this behind the Nginx proxy guide that @JaredBusch wrote: https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27

This guide is written assuming you are at a root prompt. While it's possible to login to root directly in Fedora, I recommend using sudo su - or just appending sudo before every command. Makes forensics easier if someone needs to go check who was doing what after the fact.

Let's start out by installing and configuring some system level tools, fail2ban, and automatic updates.

dnf -y install nano glances wget dnf-automatic fail2ban
#Configure dnf-automatic to automatically install updates instead of just downloading them
sed -i 's/no/yes/' /etc/dnf/automatic.conf
systemctl start dnf-automotic.timer    
systemctl start fail2ban    
systemctl enable dnf-automatic.timer    
systemctl enable fail2ban

Disable selinux (sad admin)

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0

Install the guacd deamon and dependencies

dnf -y install guacd tomcat tomcat-webapps libguac-client-rdp libguac-client-ssh libguac-client-vnc terminus-fonts terminus-fonts-console dejavu-sans-mono-fonts

Open the firewall port

firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --reload

Create the guacd configuration directory

mkdir /etc/guacamole

This config file is just an example. Be sure to customize it to your environment.

cat > /etc/guacamole/user-mapping.xml <<EOF  
<user-mapping>  
<!-- Per-user authentication nd config information -->  
    <authorize username="guacamole"   
        password="guacpas">  
        <connection name="Drupal">  
                <protocol>ssh</protocol>  
                <param name="hostname">10.10.10.5</param>  
                <param name="port">22</param>  
                <param name="color-scheme">green-black</param>  
        </connection>  
    </authorize>  
</user-mapping>  
EOF

Download the tomcat web server file into the default location

cd /var/lib/tomcat/webapps
wget https://downloads.sourceforge.net/project/guacamole/current/binary/guacamole-0.9.14.war
mv guacamole-0.9.14.war guacamole.war

Start and enable the system services

systemctl start guacd
systemctl start tomcat
systemctl enable guacd
systemctl enable tomcat

Now at yourip:8080/guacamole you should see:

Login with the user information from user-mapping.xml and you'll get:

Then login with your user credentials for the remote system, and you should be running on the remote host:

@popester said in HDMI wall Plate and Jack issue.:

Does anyone have any pointers on fortifying HDMI wall jacks? Everything we have tried has been, bent, broken, smashed or lost. The most frustrating thing is users break it and we find out about it when the next person has a meeting and cant plug in. Do i need to go a different direction? Thoughts?

FTFY.

Let me rephrase this as a question you should ask the person chewing you out. "As soon as I have a ticket asking for this HDMI port to be fixed I'll get it taken care of. Now, seeing as I have no ticket, you chewing me out about it is a massive waste of time. Would you like me to start a new ticket now, and see what needs done to correct the issue?"

@dmacf10 said in User Profile Discs:

The entire network is running 10Gb fiber. All RDP hosts are separated by only one switch. The Network isn't saturated by any means. I'm thinking that it's a issue with the storage on the server that's hosting the UPDs. It's a 4-disk raid 10 with WD 7200 RPM Enterprise drives. I just want to make sure the next move I make will take care of this issue and allow me to scale up a bit more as we add more users.

Uhm, yeah, that's not going to handle the login storms, and would not be very fast in general. I know OEMs charge way to much for SSD, but they're getting cheap for the capacity now. https://www.newegg.com/Product/Product.aspx?Item=9SIA99494V9845 $225 for an Intel DC 1.6TB.

Just saw that I got a job offer, yay! Edge Technology in Columbus, OH. Looks like it's going to be the ITSP life for me.

@xrobau said in Changes at Sangoma:

So, as a Solaris administrator from way back, let's go through a couple of the misapprehensions about ZFS in that document you linked!

• ZFS Is an Alternative to RAID - Yes. It's a DIFFERENT TYPE of what normal people think of as 'RAID' - or specifically, RAID5/RAID6. They use Parity, and when a disk is broken/missing, it does calculations to figure out the missing data. ZFS uses copies of the data. Striping and Mirroring is obviously the same.

Uhm, what do you mean by "ZFS uses copies of the data" when talking about parity based arrays? This makes zero sense, as no matter what special sauce the array is using, it still must do the parity calculations. Unless it's really running a RAID 1/10 as another layer on arrays.

Added another UPS to my home setup.

Yes, that's the old NTG file server and SunFire there @scottalanmiller. Thanks to you, I need to find a small rack.

https://www.darkreading.com/cisco-pays-$86m-in-first-false-claims-suit-for-vulnerabilities-in-security-product/d/d-id/1335423

That's 8.6 million, not 86 million like the link would have you believe. Still, don't piss off the government by firing a person who calls you out for security problems and continue to sell the solution to the government claiming that it is secure. At least the whistle blower gets 20% of that, good on them.