@jaredbusch said in Error While Updating Ubuntu 18.04 to 18.10:

Always reboot before doing system updates, IMO.

It was freshly powered up just to do the update. So it was.

@dustinb3403 said in Do you setup SSL for Intranet websites only:

Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites?

You need SSL for everything period. Even if it's a self-signed cert it's fine... just allow the exception in the web browser and be done, or use an internal certificate if your browsers are set to trust the root... or a domain wildcard cert would work just fine. It's easy to do.

You could set out a reverse proxy for use with Let's Encrypt, and use the reverse proxy for all of your internal-only web servers. On the reverse proxy, you can limit each site config to only pass internal IPs only. That's what I did for a few. For example, if you add this in:

allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all;

It will not proxy anything unless it comes from an internal IP.

One of the examples in the article is that in a jury case, someone needed to explain 10% as meaning "one in ten". I think people who really get stats do this for everything in their heads all of the time - take anything and put it into the most meaningful terms. And I think those same people would be surprised to find out that other people do not do this.

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@stuartjordan said in Handling DNS in a Single Active Directory Domain Controller Environment:

I believe the forest level with Samba can only be 2008R2 though.

If you're not using Windows AD, what's it matter?

If he's merging in DFS, it might. It's rare to do, but could matter.

Oh I see, so Windows AD and other services were involved at some point.

Depending on what you want to do, sometimes AD has to support it.

So what we are pretty sure we have narrowed it down to is a WiFi device that reports the temperature of the refrigerator to an online portal that sends out notifications when there is an out of range event.

There is an inside the fridge sensor and that sends the information to a receiver outside the fridge. The receiver part is what has the WiFi built in. I think the inside sensor to outside receiver communicate using 900 Mhz.

Who would have thought to check the refrigerator?

Only so serious, it's in D-Link gear. Bwahaha

@travisdh1 just use the UK for now
https://www.support.hp.com/gb-en/drivers

It works

@dyasny said in Diving into a completely new tech stack:

@flaxking said in Diving into a completely new tech stack:

@dyasny So far my only complaint is that they are lacking in kubernetes related courses

There are WAY too many k8s related resources out there. Openshift is harder to come by, but only marginally

Yeah, K8s is not a place generally lacking in resources today. If PS lacks them, that can be easily remedied.

@emad-r said in Proxies as VPN?:

@emad-r

They are using reverse proxy squid on a PFsense router as VPN. or to access company resources.

For example, I think they made LAN 7.7.7.* and put company resource like http://web/company
and only 7.7.7.* can access it in the config on PFsense.

It does not work 100% of course. As you can bypass it if you do http://web/company?32141 and access it from WAN

That works only if the resources are web only. In which case, a VPN was never appropriate in the first place. So in this case, a VPN would actually allow you to access unpublished web resources. But the reverse proxy will publish them.

Now the presumed difference to most people is that the VPN will add a layer or protection in the form of authentication, and the proxy will not. This is not correct, however, because you can add that to the proxy, too.

So, in reality, you are correct, in this specific case, the reverse proxy is actually making a VPN for just those specific web resources. It's a special case VPN, assuming you are using it as an SSL point.

@marcinozga said in W10 VPN connection via iPhone = Grrr:

I've been battling with VPN on Windows 10 ever since the latter came out. And if you do a quick google search, you'll find thousands with all kind of VPN issues on 10. Here's the only thing that worked so far, and I only discovered it yesterday.

In registry, find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent, then add AssumeUDPEncapsulationContextOnSendRule DWORD key, and change value to 2 and reboot.

Yes, that from here:
https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows

I had been holding off on doing this as I was under the impression that it was an issue elsewhere.

I'll give that a go and see what happens ... ..... .... .... ...

No, that didn't help.

Off to moan to the telco.

@donahue said in Synology High-Availability Cluster:

Ah, I misread because I use NFS to plug mine into ESXi. That is the danger with synology HA. Your standard OS generally wont care of the file drop out for a time while the second synology realizes it has to become the active member. A hypervisor running VM's from it will certainly care though.

Right, it's the hypervisor not looking the time to fail over. Will hit you if you use iSCSI on the Synology, too.

I found a post where someone blamed the way chrome uses BITS for updates.

They claimed that removing chrome, then resetting BITS would solve it.

I didn’t have time to test before my trip.

@scottalanmiller said in PVLAN (private VLAN) in the switch - are you using it?:

PVLAN, or Port Isolation as I think most of us know it, is one of the better uses of VLAN tech. The idea is for extreme environments (not really SMB generally) when normal security measures are not enough, that you make an individual VLAN for every single device on the network so that you control via central firewall a second layer of access for every single port that there is.

There are certainly legit cases for this. And I've worked for one of those places. But it's super rare. It is a lot of work, requires gear that supports it, and adds a lot of complication that you have to consider. It also adds a good deal of security.

In the SMB, most places have over the top security already and zero day threats rarely threaten OS level firewalls. So PVLAN, while legit, rarely has appreciable value to an SMB. But when you need that "second firewall per device", then yes, it's definitely the way to go.

Makes sense, but I'm thinking it doesn't have to be that much more work if you can apply automation to switch management as well.

I think you can do port isolation on the virtual switches in VM hosts in the same way as the physical ones. I understand that at least VMware has had it for a long time so assume other have it now as well.

Classic Curtis.

@jaredbusch said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

@irj said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

@jaredbusch said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

@irj said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

I guess we were wrong... This course has about $80k in sales. I would assume it was bought mostly by employers, but maybe home users are interested in it as well.

@zachary715 said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

I have not gone through it, but KnowBe4 has a "Home Course" I assume designed for what you're looking for.

Neither of these are designed originally for the consumer. They are successful businesses that add this component on as a "perk" for the few random consumers that do it.

There will never be a successful business model for this kind of security for consumers that is not forced on them by external factors.

Knoebe4 surely focuses on businesses, but I'm not so sure that is the case with the instructor on udemy. The 3 courses he offers seems to be focused on home users.

Consumers are still not going to just buy into this.

I would bet most of his stuff business paid for.

I would assume you are probably right. I have bought a few udemy courses for my mother in law. One of them was how to use an iphone. This course explained how to turn it on and do really simple stuff like reply to a text message, etc.

@obsolesce said in SSL Certs:

@wls-itguy said in SSL Certs:

OK. So if I have 3 servers that have the following:

pbxserver.site1.org at x.x.x.1
secserv.site1.org at x.x.x.2
weather.site1.org at x.x.x.3

I could use one wildcard cert for all three servers, correct?

IP addresses have nothing to do with it.

I knew that - I was just making sure people knew they were indeed on 3 separate servers.

Where I work, I dont have control over my colleagues. I am sure most places suffer from those people that are just there to stay in their lane and keep the status quo, at least everywhere I have ever worked. This sometimes applies to department heads and those people that should be taking charge of things like training. Generally, I find myself training users on specific tasks that they need to do their job, but a lot of times it comes down to how to process a specific task within our ERP, or somehow relating to how they use the technology we provide. I dont train our estimators how to make an estimation, but I will show them how to enter that into our ERP, or show then where to put all related documents. In a company our size, if there is no one that will take charge and try and force some sort of consistency and order, there will be chaos. A great example is the idea of a classic file server, whether it is a NAS or something else. Without proper permissions and forethought, you will end up with multiple users trying to share the same resources in multiple ways, that are often mutually exclusive. It also doesnt help, when talking about training, that some 'department managers' or other mid level managers are not really managing as much as they are just the most senior person in that department. We have a lot of these types of managers where their workload is still doing the primary task of the department, instead of managing their workers who do the actual work. It makes it hard to have consistency for training, when no one seems to even have the time to train any properly, let along work up any training materials and document any procedures ahead of time. It pays off in the end when it happens, but its never an organic thing that happens, that's not how entripy works. This is one of the primary struggles for our company, and I have taken on some of this (not all of it mind you), possibly because I happen to be able to find a solution that fits our variables, and other people are not as well suited to the task.

@black3dynamite said in Outlook Out of Memory to Open Large Folder:

Email/Mailbox hoarder!

Definitely