@JaredBusch I should clarify - IPO is not the plan. IPO being thrown around is because our volumes are now equivalent to publicly traded companies. Sorry for the confusion.

@Pete-S said in Mikrotik software firewall/router?:

@PhlipElder said in Mikrotik software firewall/router?:

@scottalanmiller said in Mikrotik software firewall/router?:

The same sales tactic is used to sell expensive "you have to pay the vendor extortion rates for support" over open source products that are known to be far better for decades. It's probably the best known scam in our industry. And once people overpay and get too little, the vendor has customers over a barrel and they feel that they can't expose to management that they spent a fortune and got less than they would have gotten for cheap or for free. And so the spending spree continues because no one up the chain wants to expose what they've done.

Three cluster setups:
1: Cisco Small Business Pro series Gigabit and 10GbE
2: NETGEAR Gigabit and 10GbE
3: Ubiquiti Gigabit and 10GbE
4: Mellanox/NVIDIA 10GbE, 40GbE, 50GbE, 100GbE

Guess which ones we've had the most grief with? Which one's the least?

I can't stand the suspense. Please tell!

Cisco woudl be reliably the biggest problem. Never seen anything require more support, have more problems.

Netgear is cheap, and we've seen lots of issues. Nothing is as bad as Cisco, obviously, but Netgear relies on easy to manage, easy to replace and if you have the right mindset it'll crush Cisco in the big scheme.

Worked extremely little with Mellanox. Known to be really good stuff.

Ubiquiti is definitely what I'd use most of the time. Good management, better pricing, and has the "easy to replace" advantages that take Cisco out of the serious running. Nothing Cisco could do (but doesn't anyway) could touch the safety net of being able to have spares instead of waiting for clueless engineers to putz around.

@PitzKey said in Exploring VitalPBX:

Phew! Wow, I just spent quite some time reading through almost every comment in this thread.
Fast forward to now, it seems like most issues were addressed.

Worth mentioning that we have been using VitalPBX in single and multi-tenant mode since I think early 2019 and have struggled with a ton of issues, but we are glad to see the progress they have made.

This was a good throwback ride!

Yeah, we use it heavily too.

@scottalanmiller said in Decentralized Identity:

@Dashrender said in Decentralized Identity:

@scottalanmiller said in Decentralized Identity:

@Dashrender said in Decentralized Identity:

And those situations exist why? because Google and Facebook make a mint knowing more about YOU - the product.

But twitter, GitHub, Discord, Apple and others don't and exist too. It's an easy thing to provide.

Do those platforms offer centralized authentication? And - is it open to anyone to use? i.e. could ML choose to use Apple's APIs to do authentication?

Yes, very common. We have hooks for many (not apple I don't think) available but it's a pain to maintain as they are third party and is it really valuable?

Some sites that I use offer Apple for sure. I see it all the time.

Is it valuable? I'd love the ability to use everything off my MS account - so yes, I think so.

But a websites need to support dozens or more "centralized" or as the stupid video puts it - decentralized - authentication providers would definitely be a PITA for them.

@pmoncho said in POTS line replacement:

@Dashrender said in POTS line replacement:

@pmoncho said in POTS line replacement:

If there is paper to start and confirmation is needed, then I don't see how the process can be cut down any further than what is there other than automating the file name, watermark the barcode and the software "filing" the doc in the system against the patient.

Exactly.
In our case, a person must tell the system what type of document it is, and what do do with it once it's uploaded. That can either be done, and the output generates a barcode - the barcode goes on the page - then scan/upload to the sytem.
OR the person scan/uploads the document - then while confirming it's on the screen - they tell what kind of document it is and what to do with it.

To me the barcode is a huge waste of everything. AND introduces a failure point (what if the scan does a bad job on the barcode?

I'm guessing you probably have users that misclassify scans too? What is required if that happens?

that's called just being human - If it happens though - I'm fortunately completely unaware of it.
I assume if it's misclassified, that whoever finds it can change it - or task it to someone with admin rights (but not me) with a request to fix it.

Now all of that said - there is equal chance of misclassifying it when making a barcode versus classifying it on the fly after uploading the image.

@Pete-S said in Zoho Zillum - family oriented mail and cloud storage:

Are you perhaps referring to the Zoho Workplace bundles? The "Standard" tier ($3/user/month) doesn't have much cloud storage and the "Professional" is double the price ($6/user/month) but it's the closest to Zillum features and storage.

Yes, that's the standard business bundle with the features. At $3 is get more email storage but less "other" storage. Although for documents and other stuff that the platform is meant for it is unlimited. So that's quite a bit depending on how you use it.

@Dashrender said in ScreenConnect Unable to Start on Fedora 33:

@scottalanmiller said in ScreenConnect Unable to Start on Fedora 33:

You can use an RDP client if you want for Windows users.

I've read that - I need to figure how how that works.

We have some customers using them, but we don't use them internally AFAIK.

@notverypunny said in Self-Signed certs for LDAPS:

So I'll start off by acknowledging that self-signed certs are less than ideal for most purposes.

Right now my goal is to get rid of plain-text LDAP on the network and want to make sure that I'm not trading one security hole for another.

I've found a couple of sets of instructions online and figured I'd run the idea past the assembled brain-power before going too far down the rabbit hole.

https://anandthearchitect.com/2019/10/10/active-directory-self-signed-certificate-for-ldaps/

https://social.technet.microsoft.com/Forums/en-US/667ec29d-d83a-49b4-9280-308964359154/best-way-to-enable-ldaps-self-signed-certificate?forum=winserversecurity

https://www.javaxt.com/wiki/Tutorials/Windows/How_to_Enable_LDAPS_in_Active_Directory

Open to other suggestions to move from LDAP to LDAPS, but I'm in an environment that has too much legacy stuff to scrap it and / or AD so that whole possible course of action is the non-starter to end all non-starters.

In an on-prem only AD environment, no problem using self signed.

@Pete-S said in rDNS PTR records - why?:

your own IPs

They really need to be your own IPs (reassigned because no end account ever actually owns them) and not just a randoms static IP from your ISP.

Enterprise fiber is one of the few places where i know the IP addresses are mine. I know they are, because I have the ARIN account for them.

8ab099df-0d83-49ec-962e-4113b94c535a-image.png

Thank you for the heads up @scottalanmiller

@travisdh1 said in SUSE Manager for managing CentOS and SUSE servers.:

@openit said in SUSE Manager for managing CentOS and SUSE servers.:

Hi there,

Anyone of you ever came across SUSE Manager?

While it is saying open source and it is letting to download evaluation copy with subscription key on email?

I believe SUSE Manager kind product I'm looking, especially for patching CentOS and SUSE servers.

Any clue?

Why not use Ansible or Salt?

These are what I'd generally recommend.

if you want to also know the progress you can pipe it to pv, like in the below example

ssh ubuntu@medcloud-xx.com "sudo dd if=/dev/nvme0n1" | pv | dd of=/Users/someuser/Desktop/mydisk.img

@pradeep You are missing ALL context there. Other than "edit with a text editor", what are you expecting us to say with the limited info here? Editing XML is just a text file.

@JaredBusch said in Email auto CC:

@Dashrender said in Email auto CC:

Yeah - this is straight up spying - in some states this would be illegal!

Which? Because most states I know the details of, this is 100% employer right.

Often if disclosed, but yes. Because it is the employer's system, after the point of sending. There's no assumption of privacy. It's not like cracking someone's encryption.

@Dashrender said in Does block level sync exist?:

@scottalanmiller said in Does block level sync exist?:

@Fredtx said in Does block level sync exist?:

@scottalanmiller Let me clarify. I want to make sure the "good" backups are copied to the offsite storage. So if the building were to catch on fire or something, and the good copies are destroyed. I would want to be able to restore from the offsite storage. In my case, some of the data was missing from the offsite storage that should have been replicated from the local "good" backup. Not sure what happened, and why it was not copied over, but it did not. I figured there would be some kind of sync mechanism that would have caught that ahead of time, which Barracuda said there is no such sync. That is why I reached out to the community.

We understand. And that's important because clearly your sync failed. It's just that it also exposed the fact that the original backups are not application aware (unless there is no application) so something that you should see as a very, very large issue. If you are responsible for the backups, that is. Otherwise, not your monkeys, not your circus.

You're making an assumption that there's an app to backup - which wasn't 100% clear until this post. As you mention - he might just be backing up file servers - so no app involved - just files to backup.

Even a pure file server is normally accessed. "File server" is a form of "database". A very specific form, but surprisingly similar to a document database. It would be super weird, but not actually impossible, to have a file server that holds files but is never accessed. but once you start accessing files, it's an application doing the accessing and we are right back to where we started. File servers tend to have known usage patterns and accepted backup failure modes, but the issue hasn't changed. It just feels that way. No file exists without an application.

@Pete-S said in Production KVM server "hardening"?:

I'm thinking about running pure KVM on debian for virtualization hosts. Not Proxmox. There will be no GUI on the servers, no web interface, only ssh for management.

Do I need to do anything special to lock down the security?

I've never used KVM in production, only on my desktop and then I've had virt-manager as well as tools like virtsh. So I don't really know what is required for a pure KVM server to be as "secure" as proxmox, xcp-ng or whatever.

Keep the OS and everything updated. Keep drivers updated. Keep firmware updated. Use only key-based auth for SSH, add only specific devices to authorized_keys file. Ensure firewall configured well. Set up log alerts for access.

@Dashrender said in Per User RDP license check:

@pmoncho said in Per User RDP license check:

I want to install a piece of software on the license server this afternoon to finish off a project and it will require a reboot.

I wanted to reboot it in the middle of the day but don't want to cause an issue and get "The remote session was disconnected because there are no Remote Desktop License Servers available ...."

Don't need 30-40 calling with an issue.

wow - OK... While my gut tells me you'd be fine - the issue I would expect you to POSSIBLY get is someone trying to sign in right while the reboot is happening - but otherwise I would expect everything else to just stay running. But don't really know.

I was thinking the same thing. As they say, timing is everything.

Hell hath no fury, like a medical receptionist scorned. 🙂

@JaredBusch said in RDP/RDS hardening (borrowed from another topic):

@scottalanmiller said in RDP/RDS hardening (borrowed from another topic):

I don't consider unpatched an issue - at least not an RDP issue.

That one had an exploit live before it was patched.

oh okay, that's a serious issue then, for sure.

@scottalanmiller said in Weird DNS resolution issue:

@Dashrender said in Weird DNS resolution issue:

I suppose it's possible that would have resolved this specific issue as the router would have been the only device making connections to the external DNS... but then again - it could have caused all machines to go without DNS when the upstream server stopped responding...

Not very likely. Plausible, but not likely enough to avoid it.

sure - but then again, I've never seen this situation before either - so I would have previously called it unlikely.