@JaredBusch I have a file that exports the username and password in the script, so I am using a password. Sadly this error just fixed itself with no changes and everything is working as intended now so I won't know what the root cause of this was. Thanks for replying though.

Examples in known open source worlds...

If you run ProxMox with DRBD on the Debian (host) layer, it's RLS assuming ProxMox has local disks.

If you then make that block storage available over the network, it becomes a SAN (a traditional / physical SAN.) A SAN with replication for resiliency.

If you run ProxMox and make a VM of Ubuntu and in that VM install DRBD it may or may not be RLS depending on where the host is getting its storage from for that VM. To the VM it will appear as if it is RLS, but we really don't know unless we check the stack. It's just the replication piece here.

If you then make that DRBD block layer in the VM available over the network, it becomes a vSAN.

@scottalanmiller said in ZeroTier rules to limit freelancer access:

@Pete-S said in ZeroTier rules to limit freelancer access:

Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.

To me this is what makes more sense. I get the value is DOUBLE protection. But at a minimum this should be there first, ZT only as a completely additional layer of protection.

I agree. Network access control and segmentation is just to make it freakishly hard to traverse for malicious actors and software.

@dagors said in Configure ZTE F670L for NAT on LAN Ethernet Ports:

This was it. What a dumb way to have that worded!!

Sorry, google translate.
But it's good that it was fixed.

I mean dumb way that ZTE worded it.

We find that if we rename the PC, then allow more than a day to go by before restarting, this can happen.

Also, if we rename a PC, then the user allows the PC to go into Lock mode (screen saver timeout with login required to return) they will encounter this upon wake up/re-logon.

In the above two cases a reboot usually resolves it, when it doesn't, we go in as local admin and disjoin then rejoin the domain to resolve it.

Also, in the above two cases, we did not lose the computer in active directory, so after the disjoin/rejoin you'd want to remove the orphan computer from AD.

There's an article online somewhere about why you should NOT disjoin and rejoin the domain in this case, but we have always done it this way and have never experienced ill effects.

@Pete-S said in WordPress Site Lost Its Mind - Ten Minutes of Maintenance Over and Over Again:

This is how you do that:
https://developer.wordpress.org/plugins/cron/hooking-wp-cron-into-the-system-task-scheduler/

Nice, good info. Thanks.

@scottalanmiller said in Bind Linux Process to Well Known Web Ports When Not Root:

If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.

Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.

setcap cap_net_bind_service+ep /my/binary/file

Now you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.

Good to know!

I found this as an example of how to use it and also commands to remove the permission:
https://cwiki.apache.org/confluence/display/HTTPD/NonRootPortBinding

The setcap utility seems to be available in the libcap2-bin package on debian distros.

I haven't checked if it's installed by default.

@IRJ said in Helpdesk - PC replacement routines:

@scottalanmiller said in Helpdesk - PC replacement routines:

@IRJ said in Helpdesk - PC replacement routines:

The Helpdesk team exists to be a human shield for users. Your main job is keep users away from the rest of IT. Customer service and user support is the job. Since your Helpdesk should be made up of entry level with fair turnover, I'm not sure you're gonna ever be efficient nor is that really the goal.

I started in Helpdesk as did many others I've met in higher IT positions. The employees that you have that are really good are not meant to stay there too long. If your company doesn't have the foresite to promote top performers, they will just leave and go somewhere else.

The TLDR is Helpdesk is supposed to be a a human shield for IT. It should be a starting place for aspiring IT professionals, and if they are knowledgeable enough to improve these processes they won't be around long (one way or another).

That said, some people like the interaction and choose to stay there. But that's not the norm. But even then, it's a customer service role for sure and "performance" will always be difficult. In fact, you might dislike performance if it means less human interactions with end users.

Yep. I've seen it. There's one guy that I worked with that just loved everything about Helpdesk. Far more capable than the desk. He could be working with servers, cloud, etc. He just decided he loved what he was doing and stayed there for many years. I kept in touch for many years beyond us working together and he was always there. Big fish in little pond so to speak, and I think he likes that.

We've had staff like that. Pure gold if you find them. Someone actually happy with "what they are doing."

@Danp said in How to use different accounts on the same website/service with profiles:

With Firefox, you also have the option of using the Multi-Account Containers extension.

been using this for 3+ years - damn I just wish Chrome supported it.

@jt1001001

Thank you, about what I expected…. Just needed confirmation.

@JaredBusch said in Fedora 33 SSH Access Denied But Webmin Works Fine:

@scottalanmiller said in Fedora 33 SSH Access Denied But Webmin Works Fine:

Root is disabled by default in SSH configs most of the time.

Not until the last couple years. Sure we always disabled it, but it was not default that way until recently.

Ubuntu disabled it by default in 14.04 (2014) and Debian in version 8 (2015).

This probably coincide when openssh developers decided that disabled should be the default in the source code.

It's up to the distro to set defaults for installed packages so RedHat based distros like Fedora might have been much later.

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

I'm not saying Proxmox is insecure, I'm just saying it wasn't designed with security as it's primary focus.
KVM by default for instance is managed by libvirt and by default doesn't open any tcp ports at all. That gives the administrator the option to decide what level of security versus convenience they want.

Ignoring "by default" in that, ProxMox can be the same. You can close everything up and only manage however you like. You don't have to use the web interface on it, it can be totally shut down. Obviously defeating lots of the purpose, but plausible.

I spend far more time on ProxMox via command line via MeshCentral than via the web interface and the web interface, while we don't lock it down from the LAN in most cases (we run a LOT of ProxMox these days) we primarily access it from the PM host itself from a jump box running on top of it for the cases when the web interface is needed. So while we don't go to the degree of locking it off from the LAN, we could and we wouldn't notice the difference most of the time.

That's not a default, so obviously totally different. But it's a really simple setting.

That's good to know.

We don't use gui anymore either but we're moving away from pre-packaged hypervisors and to pure KVM with libvirt compatible management tools.

We have found that to be the best solution for our use case (high degree of automation and customization).

I'd like to see that for sure. There's a lot of benefit to that, potentially at least.

We're automating a lot.

But the real problem is not the automation itself. The real problem is that automation and standardization is time consuming.

New quotes this week...

Planning is only useful when it can be used for preparation.

and

When deploying software we should never be concerned with how long the vendor will continue to provide support, but rather by how soon we get to update.

@JasGot said in What to use for new Windows network domain:

No need for split DNS this way.

That is a huge reason.

Thanks guys, I'll check out AHK.

@Pete-S said in Recommended storage setup for Proxmox VE homelab:

@JaredBusch said in Recommended storage setup for Proxmox VE homelab:

Proxmox requires ZFS if you are going to use the built in replication.

Don't you need more than one server to have any use for replication?

I have the specified setup at two clients. Dell hardware RAID with a ZFS RAID 0 on top of it to get replication working.