@scottalanmiller said in Making an RDP Terminal Server with Ubuntu Linux:
I recommend the Remmina RDP client tool, it's the bomb.
I love Remmina as a client.
@syko24 said in MeshCentral Updates:
Looks like some good updates came through today and last week. You can assign users to individual systems now instead of the entire group.
https://meshcentral2.blogspot.com/
been a little while, we've been using that a bit. Great stuff, though, really makes a difference.
@scottalanmiller said in MeshCentral2 Issue:
@dafyre said in MeshCentral2 Issue:
What I saw on my Fedora 29/Gnome desktop was that it showed up, but most of the remote features did not work.
that's more of what I would expect.
As discussed in another thread (I think)... that's due to Wayland being used for Gnome.
@Romo That is correct, the red "Agent Tag" is a "meshagent.tag" text file that is in the same folder that the "meshagent.exe". It can contain up to 1k of data sent to the server on each agent start. It's there so if you have some sort of automatic installation of the agent, you can put a serial number of something in that file and it gets sent up to the server. It pre-dates the other blue tagging that is server side only.
All this to say, the two tagging systems are completely separate. I can add you a "atag:<agenttag>" filter if you like? Let me know what you need.
@scottalanmiller said in MeshCentral - Anyone tried this?:
@IRJ said in MeshCentral - Anyone tried this?:
@JaredBusch said in MeshCentral - Anyone tried this?:
@IRJ said in MeshCentral - Anyone tried this?:
@JaredBusch said in MeshCentral - Anyone tried this?:
@IRJ said in MeshCentral - Anyone tried this?:
@Grey said in MeshCentral - Anyone tried this?:
@JaredBusch said in MeshCentral - Anyone tried this?:
@Grey said in MeshCentral - Anyone tried this?:
Does the software establish a connection outside the managed network or do you have to vpn to the network to reach the management server?
It all runs on HTTPS connections.
I asked if I need to be on the highway to get to my destination, or if I can take surface streets and you told me to use snow tires. WTF?
I mean it's up to you how you want to design it. I would say putting it behind a VPN is the smart way to do it. Like mentioned earlier, it isn't necessary. However, it greatly reduces your attack surface.
What attack surface? The only thing you access is the web interface.
That's still a surface. Why even let attackers get to a management server to attempt a brute force or DoD?
And that is different from letting an attacker attempt to brute force or DoS a VPN?
You always have an open port to come in.
That is true, but it doesn't reveal what's behind it. Something like mesh central would be something an attacker would be interested in, but if it's behind your VPN sever they have no clue its even there.
Except VPNs are far better known and more "interesting". Nothing says "I've got something to hide that I think is valuable" like a VPN. VPNs are big advertisers that someone believes they have something worth something.
So what? Now you have to break into the VPN and mesh central. It makes it harder for an attacker.
Breaking into the VPN doesn't net you much if your traffic is encrypted internally, in fact you are in the same spot as having all your valuable assets public facing.
VPN is easy to implement with minimal hardware in an immutable fashion and gives you an extra layer of defense that is quite difficult to breach.
@stacksofplates said in Remote management of VMs hosted in colocation:
@dashrender said in Remote management of VMs hosted in colocation:
@stacksofplates said in Remote management of VMs hosted in colocation:
@scottalanmiller said in Remote management of VMs hosted in colocation:
@stacksofplates said in Remote management of VMs hosted in colocation:
@scottalanmiller said in Remote management of VMs hosted in colocation:
@eddiejennings said in Remote management of VMs hosted in colocation:
Allowing an SSH connection to the managementVM from the Internet
I have not tried this approach yet, and it appears more risky than the Screen Connect approach, since SSH to that VM would be open to the Internet. Unless I'm missing some benefit to this approach, I'll not be using it.
Use a strong key, lock to your IP. Very safe. Add Fail2Ban, of course.
Or add Salt and open/close based on need so it doesn't stay open.
Fail2ban doesn't work with keys.
But it would work normally with people attacking using non-keys, would it not? Or am I missing something about what it would do?
Why would you not require keys? Not making them mandatory defeats the purpose of using them.
I think he means - if a hacker is trying to use a password on a system setup to only allow keys - the fail2ban will block those users, or won't it?
No. It's dropped before fail2ban even sees it.
Oh, makes sense. There is no "attempt" like with a password, it is "already blocked."
@jaredbusch said in I need to control a chromebook with no user interaction:
@scottalanmiller said in I need to control a chromebook with no user interaction:
Only the Chrome RDP code of which I am aware.
You need that everytime right?
Yes, I've looked into automating it and couldn't find a way.
@dbeato said in RDS 2016 Remote App issue:
@dafyre said in RDS 2016 Remote App issue:
@dbeato said in RDS 2016 Remote App issue:
@dafyre said in RDS 2016 Remote App issue:
@dbeato said in RDS 2016 Remote App issue:
I am also leaning to do this:
https://social.technet.microsoft.com/Forums/windows/en-US/96cf9ef3-6ec2-4c7a-9e9f-21aeb6ef794d/remote-desktop-collection-is-missing-properties-i-would-like-to-add?forum=winserverTS
That's essentially why the powershell script does... So you ran the script and you're still not getting correct RDP files from the RD Web site?
yeah, it didn't really work since it is not updating anything on the connection broker. I am going to redo it all...
Curious.
You mean after I finish redoing it?
Just strange that it isn't working. I have Gateway, Web, and Connection Broker on same system here, so that could be part of it.
@mike-davis said in How MSPs provide their services:
@scottalanmiller said in How MSPs provide their services:
That's a lot of investment for a system like that. If you have hundreds of customers, it can make sense. But it takes a lot of customers to recoup the lost time into that system. It can work out well for a traditional MSP, but depends on large scale standardization to justify the investment.
I don't know about hundreds of customers. The number of end points might be more relevant. For me at about 10 MSP customers I can justify the investment. When you look at the time it takes to set up something like a zabbix server and maintaining a WSUS server vs not having to that helps make it worth it. Missed revenue because you didn't have a system in place to capture every minute hurts.
It would be a blend, I'm sure. A single customer with a million end points wouldn't make sense because you'd use more traditional tools in a single customer scenario. And a hundred with only one end point each wouldn't do it either. So some combination of enough end points for volume and enough customers for complexity put together.
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
Thanks to @Dashrender for the assist. It looks like the problem was authentication. I authenticated to the VPN using domain\username rather than using the User Principal Name. Doing the latter allowed me to reach DFS shares.
Woops, that's crazy but definitely there is an issue with DNS
huh?
If the user cannot login with UPN there is an issue with DNS.... As you should be able to use domain.com.
User can login with UPN. They were using the old domain\username method rather than UPN, which apparently caused problems with accessing stuff via the DFS namespace.
ListeningOn = ::1, fe80::ad99:8e4d:c356:9939%5, fe80::c0a1:571b:2955:87be%7, fe80::cda4:4841:5bff:7b5c%8, fe80::f902:5ea5:2d74:a154%3
Interesting - the server is only listening on IPv6 addresses.
Turns out IPvX filters are for the addresses that are listening (i.e. the local IP on the machine you are trying to remote into).
I set a filter like this 10.0.0.1-10.0.5.254 (where my admin machines would live).
Unfortunately, since this isn't an incoming filter (that's the firewall's job) this filter wasn't large enough to cover all of my production networks. I had 10.1.0.1-10.1.0.254 that wasn't inside the above range, and of course keep the machine from listening on it's IPv4 (the IPv6 was listening because I just left it wide open - testing, not using IPv6 in general, so left it as default (*))
So tweaking my filter to 10.0.0.1-10.0.5.254, 10.1.0.1-10.1.0.254 solved my problem.
@scottalanmiller said in Out of Band Management - does it mean no keyboard at all:
@JaredBusch said in Out of Band Management - does it mean no keyboard at all:
@scottalanmiller said in Out of Band Management - does it mean no keyboard at all:
@Carnival-Boy said in Out of Band Management - does it mean no keyboard at all:
Well, I'm glad that's been cleared up. You can probably delete the thread now
I don't even know what the original thread was!
And that is why you have no concept of what you posted being completely wrong for the context of the thread.
Honestly, it is pretty straight forward if you read the first post.
https://mangolassi.it/topic/13595/out-of-band-management-does-it-mean-no-keyboard-at-all
The first post also contains links back to the thread that @DustinB3403 pulled this from.
I was responding the post quoted, though.
Which was in the context of the entire thread. If you want to cherry pick something, then clearly, state as much. You did not.
@JaredBusch said in Which IT Collaboration / Meeting Tool do you use?:
@scottalanmiller said in Which IT Collaboration / Meeting Tool do you use?:
@Dashrender said in Which IT Collaboration / Meeting Tool do you use?:
Could a FreePBX state be setup with all of features requested? I'm guessing a third party client software would be needed.
Of course we have Telegram and Rocket.chat, but those are chat only clients, I think... So missing the rest.
That's why Elastix insists on having OpenFire built in. You can do a lot of that stuff with the combination.
FreePBX offers a XMPP module. Have not used it for the same reason I have not used OpenFire in Elastix. No one in my current customer base wants an in house only chat platform.
Yeah this is the problem, internal only chat is damned near useless.
@Jason said:
@gjacobse said:
@MattSpeller said:
@coliver said:
@MattSpeller said:
@coliver said:
I've had a low success rate with startech devices. They are cheap and when they work they work ok... but most of the time they don't. Even if one had been working fine come in the next day and it doesn't work at all.
Exactly my experience, but I will add that the more complicated the product is the lower it's chances of working properly. It's a sliding scale from "meh, yeah, ok" to "possessed by demons" to "complete and utter failure to chooch"
At a former job we bought a serial to USB from them for a PLC once... never again. It did funky things and inserted random characters into programs. We returned it for a replacement... the second one didn't work at all.
Oh sweet jesus those are the exception. NEVER buy one unless it's straight from these guys. Trust me, I spent years doing electronics engineering programming chips and bit banging
http://www.ftdichip.com/Products/Cables/USBTTLSerial.htm
Yea,.. there is a lot of fakers that just won't work on those FTI drivers... ugh.
The driver has a verification software in the download you can check the chip with though.. in Windows 7 the fake ones would still work I believe.
Until FTDI decide to block them again heheh
@BRRABill said in Accessing a Linux Server via SSH:
@scottalanmiller said
The default of what is to copy, paste and hit return?
PUTTY.
Be default when you right click something to copy, it copies it and pastes it and then hits return.
I guess perhaps just highlighting it copies it? I like the Windows method.
No it does not. I thought maybe you were thinking this but did not want to imply it. That's a misunderstanding of what is happening. It only does that IF your Windows environment and your actions are copying a carriage return into the clipboard (which Windows does by default.) This has nothing to do with PuTTY and is all about your Windows desktop AND it only does this if YOU make it happen, it does not do that for the rest of us. We don't copy the carriage return into the clipboard unless we want it. Windows makes this easy to control as a feature, but it is an invisible feature of the Windows environment so if you are not a Windows power user, you might not be aware that there is an interface to it that you are misusing.
PuTTY simply does what Windows tells it to do, PuTTY has no default behaviour like you are imagining.
Looks like SPICE could do it, found this comment on Wikipedia:
Xspice
The X.Org Server driver for the QXL framebuffer device includes a wrapper script[11] which makes it possible to launch an Xorg server whose display is exported via the SPICE protocol. This enables use of SPICE in a remote desktop environment, without requiring QEMU/KVM virtualization.
