ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Topics
    2. NashBrydges
    3. Posts
    • Profile
    • Following 0
    • Followers 2
    • Topics 109
    • Posts 893
    • Groups 0

    Posts

    Recent Best Controversial
    • RE: Sodium Helpdesk: Unable To Create Password In Chrome

      @sodium said in Sodium Helpdesk: Unable To Create Password In Chrome:

      @quixoticjeremy said in Sodium Helpdesk: Unable To Create Password In Chrome:

      Have found the issue and have pushed a release. Keeping an eye for when it hits production to verify that like in dev this will fix the issue.

      Push to prod is done.

      Confirmed. The fix allows me to create password in Chrome.

      posted in SodiumSuite
      NashBrydgesN
      NashBrydges
    • Sodium Helpdesk: Implement Secure Headers

      You may also want to harden the web server.

      0_1502046539680_85018532-8fcb-4276-91d2-776fa6c098a1-image.png

      @Sodium

      posted in SodiumSuite sodium sodium bug report sodium help desk
      NashBrydgesN
      NashBrydges
    • Sodium Helpdesk: HTTP Not Auto-redirecting To HTTPS

      Should be an easy one to fix. Noticed HTTP doesn't auto-redirect to HTTPS.
      0_1502046235499_9bd06b77-42a7-4d21-9819-ee5ae2b6ffab-image.png

      @Sodium

      posted in SodiumSuite sodium sodium bug report sodium help desk
      NashBrydgesN
      NashBrydges
    • Sodium Helpdesk Feature Request: Allow Edit Users + System Default User

      Right now the only edit that is allowed for existing users are to change Group, Reset Password or Delete. Also need the ability to change login name (without having to create a brand new user), change user email address and change First Name or Last Name. Any of those changes should also allow the user account to remain "attached" to any tickets, comments, updates, either currently open or historical.

      Also, if a user is deleted, all existing or past tickets, comments, attachments, etc, should automatically be assigned to a "system" user to allow for searching and filtering, reassignment if necessary. Deleting a user should not create any orphan records that cannot be searched or reported on.

      posted in SodiumSuite sodium help desk sodium feature request
      NashBrydgesN
      NashBrydges
    • Sodium Helpdesk: Username Using Email Address Cannot Login

      When creating a user where an email address is used as the login username, the new user cannot access the site. The new user keeps getting an invalid username or password error.

      If the user clicks on the "Forgot Password" link and proceeds to reset password, an email is successfully sent to their mailbox and clicking the link (except with Google Chrome) the user is prompted for a new password, after which he is directed to the dashboard. If this user then logs out and attempts to log back in with an email address as the username and using the new password, they continue to receive the invalid username or password error.

      posted in SodiumSuite sodium help desk sodium bug report
      NashBrydgesN
      NashBrydges
    • Sodium Helpdesk: New Group Permissions Not Working

      After creating a new group in Agent Groupings, I go to Group Permissions, select the new group and enable permissions however, enabling "Ticket Settings" doesn't stick. After clicking the "submit" button, there is no confirmation that new permissions have been saved and upon screen refresh, the "Ticket Settings" revert back to disabled.

      Select all permissions:
      0_1502040541285_aecc9db9-d6ce-473f-9adc-795ac576b2e4-image.png

      This is what it looks like after clicking the Submit button (no confirmation after Submit):
      0_1502040573215_91901e5f-ad15-4344-a55b-282d30692f6b-image.png

      This is what it looks like after screen refresh:
      0_1502040617317_ac54b44d-3573-4ae2-830a-c160ef784e43-image.png

      posted in SodiumSuite sodium help desk sodium bug report
      NashBrydgesN
      NashBrydges
    • Sodium Helpdesk: Unable To Create Password In Chrome

      I created an account at https://sodium.waxquixotic.com and on clicking the confirmation link received in the email, the link takes me to my Chrome browser where I can briefly see the spot for password creation however it disappears in under a second, immediately taking me back to the standard login screen without giving me the ability to create a password. The behavior exists whether I click the link in the email or copy/paste the URL into a new browser window in Chrome.

      Google Chrome Version 60.0.3112.90 (Official Build) (64-bit)
      Windows 10 Pro 1607

      This behavior does not exist when I copy and paste the email confirmation link into my MS Edge browser. In Edge, I am able to see the password creation overlay and once typed in, proceed to the dashboard.

      posted in SodiumSuite sodium help desk sodium bug report
      NashBrydgesN
      NashBrydges
    • RE: Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost

      @jaredbusch said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

      @nashbrydges said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

      @brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

      I've been using an ERL at home for a while and have them deployed at several business. Zero complaints and I recommend them all the time.

      I wish I could use it at home. I'm on Bell Canada ftth and they use a different vlan for iptv and internet. All of the online guides I've seen haven't been able to get me to use my ERL and Bell won't give up which VLANs they use.

      No one hasd figured this information out yet?

      Sadly not yet, at least not that my Google-fu has allowed me to find.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • RE: Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost

      @brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

      @nashbrydges seems like they would be able to put their equipment in bridge mode for you.

      They refuse to let that happen too. They tell me that if in bridge mode, the iptv will fail. WHat I really wanted was for them to enable the second network connection on the ONT but they won't do that either. sigh. I'd switch to another provider if I wasn't already adicted to the Gb speed.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • RE: Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost

      @brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

      I've been using an ERL at home for a while and have them deployed at several business. Zero complaints and I recommend them all the time.

      I wish I could use it at home. I'm on Bell Canada ftth and they use a different vlan for iptv and internet. All of the online guides I've seen haven't been able to get me to use my ERL and Bell won't give up which VLANs they use.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • RE: Installing Debian 9.1 minimal

      @jaredbusch said in Installing Debian 9.1 minimal:

      @scottalanmiller said in Installing Debian 9.1 minimal:

      I'm liking Debian more and more as I use it. However the install process has a ridiculous number of screens.

      You can choose a different install method and should see fewer screens. My guides are not for the advanced users though.

      The less advanced users thank you profusely for that.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • RE: ioSafe: down?

      @gjacobse Same here.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • RE: Do you use Guacamole?

      @travisdh1 said in Do you use Guacamole?:

      fail2ban can handle it, tho some issues with rule matching happens according to the Google search I just did. https://www.jimwilbur.com/2016/08/fail2ban_guacamole/

      Fail2ban now appears to be blocking failed attempts.

      Using your link, I noticed catalina.out wasn't capturing failed logins so I created a blank file at /etc/rsyslog.d/tomcat.conf and then restarted rsyslog.

      The regex wasn't working and the link didn't have the proper regex to use so a little search brought me here.
      https://www.cb-net.co.uk/linux/debian-8-6-proxy-guacamole-via-nginx-using-https-and-fail2ban/

      About 3/4 of the way down, the correct regex is shown as follows.
      failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.

      Restarted Fail2ban confirmed that the regex would work
      fail2ban-regex '/var/log/tomcat8/catalina.out' /etc/fail2ban/filter.d/guacamole.conf

      I tried to login using an incorrect user/pwd combo. Sure enough, the outcome was this (masked IP address).

      nashbrydges@guacamole:~$ sudo fail2ban-client status guacamole
      Status for the jail: guacamole
      |- Filter
      |  |- Currently failed: 1
      |  |- Total failed:     13
      |  `- File list:        /var/log/tomcat8/catalina.out
      `- Actions
         |- Currently banned: 1
         |- Total banned:     2
         `- Banned IP list:   xxx.xxx.xxx.135
      
      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • RE: Do you use Guacamole?

      @travisdh1 Sweet! Gonna have to give this a try.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • RE: Do you use Guacamole?

      @stuartjordan said in Do you use Guacamole?:

      Its very good, I have installed and used many times, would be nice to have a feature to limit the amount of login attempts or google Captcha.

      I wrote a custom Fail2ban block script for a web app I had designed for a friend. Do you know where the access logs would be stored for Guac? I might be able to create something similar to use Fail2ban for.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • RE: Do you use Guacamole?

      @fateknollogee said in Do you use Guacamole?:

      @nashbrydges I'm interested. You have any how-to-install notes?

      I can't take any credit for these but I used the install script here with a fresh Ubuntu 17.04 install and it worked flawlessly.

      https://www.chasewright.com/guacamole-with-mysql-on-ubuntu/

      He also has one for a CentOS7 install somewhere on his site.

      My Nginx proxy runs on a separate VM but the conf file for that looks like this.

      server {
         listen 80;
         server_name mydomain.ca;
         return 301 https://$server_name$request_uri;
      }
      
      server {
        listen 443 ssl http2;
        server_name mydomain.ca;
        
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options nosniff;
        add_header Referrer-Policy strict-origin;
        #Had to comment out the line below as the CSP policy broke functionality.
        #add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
        ssl_stapling on;
        ssl_stapling_verify on;
        server_tokens off;
      
        ssl on;
        ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        proxy_cookie_path / "/; secure; HttpOnly";
      
      
          location / {
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_set_header X-NginX-Proxy true;
              proxy_pass http://192.168.100.79:8080/guacamole/;
             #The line below is required because Guacamole is essentially streaming so buffering would get in the way
              proxy_buffering off;
              proxy_redirect off;
              access_log off;
              proxy_cookie_path / "/; secure; HttpOnly";
      
              # Socket.IO Support
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
         }
         
      }
      
      

      One additional note that took some Googling. If you're going to remote into a Win 10 desktop, you not only need to disable the NLA checkbox but you also need the following registry change.

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

      Change the value from a 2 to a 1 for the following key

      "SecurityLayer”=dword:00000001

      So far it seems exceptionally smooth and way better than using my Sophos XG HTML5 RDP function. Not to mention I can run all of it through the proxy and manage SSL via Nginx which I can't do through Sophos XG.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • Do you use Guacamole?

      I just setup a guacamole VM on my Hyper-V host and after some fiddling with the Nginx conf file, I was able to get the portal to work through the proxy. Awesome! Now the paranoid side of me kicks-in and probably unnecessarily. I've created a 40 character password to log into Guacamole along with a 30 character password for the subsequent Windows password. Wondering if anyone has ever heard of any security holes or issues with Guacamole that would make you re-think exposing it to the web even with SSL and long, complex passwords.

      Is it time to put my tinfoil hat away? I realize that's what it was designed to do.

      posted in IT Discussion guacamole
      NashBrydgesN
      NashBrydges
    • RE: Install Alfresco Community Edition On Ubuntu 17.04

      @scottalanmiller Just testing it out for now but so far so good. I had a client ask me for a good document management solution that wouldn't break the bank and could be hosted locally so I immediately thought of this. I've given him access to see if this could work and from the sounds of his feedback, he might want it setup.

      posted in IT Discussion
      NashBrydgesN
      NashBrydges
    • Install Alfresco Community Edition On Ubuntu 17.04

      This assumes you have already installed Ubuntu server on your VM. You're going to need at least 8GB memory. I realized this after I got an error with only 4GB assigned to the VM.

      1. Go to https://www.alfresco.com/alfresco-community-download

      2. Find the Linux download link and right-click and select "Copy link address"
        0_1501024185513_5d8656ab-f47d-4a56-b2a3-36e5af48b8c5-image.png

      3. Go back to your server and download Alfresco
        wget http://eu.dl.alfresco.com.s3.amazonaws.com/release/community/201707-build-00028/alfresco-community-installer-201707-linux-x64.bin

      4. Create a directory for the installation
        sudo mkdir -p /var/www/html/alfresco

      5. You're going to need to add a few libraries (if you copy/paste, these should be single lines, the web page here may wrap longer lines)
        sudo add-apt-repository ppa:opencpn/opencpn
        sudo apt-get update
        sudo apt-get install -y libfontconfig1 libsm6 libice6 libxrender1 libxt6 libcups2 opencpn libcairo2 ttf-mscorefonts-installer

      6. Because you're installing MS Fonts, you'll have to accept the EULA
        0_1501025305316_b3ce802a-a0cb-40f3-a18e-946700f01235-image.png
        0_1501025336286_931b56a9-07f9-4bcc-8835-853ad8097483-image.png

      7. chmod and run
        chmod u+x alfresco-community-installer-201707-linux-x64.bin
        sudo ./alfresco-community-installer-201707-linux-x64.bin

      8. You'll get a warning about LibreOffice not being installed. Ignore, select "y" and continue.
        0_1501025552974_ad9d2b0a-e32b-497e-9ce1-11dc35638e7a-image.png

      9. Choose your language and press [ENTER]
        0_1501025606037_5c4ef73c-0610-4e00-aef4-4552b9440b93-image.png

      10. Choose option 2 for Advanced Install at the next screen
        0_1501025662986_99c6820d-7b6d-4344-8348-52df6965d692-image.png

      11. Choose the following options for the next 9 selections

      Java				– yes
      PostgreSQL			– yes
      LibreOffice			– yes
      Alfresco Community Edition	- yes
      Solr1				– no
      Solr4				- yes
      Alfresco Office Services	- yes
      Web Quick Start			– yes
      Google Docs Integration		– yes
      
      1. When prompted for an installation folder, enter the folder path you created in step #4 above
        0_1501025870684_0b034828-9424-4b8d-aa7d-807c5280a2ab-image.png

      2. For the next 8 selections, simply enter the default suggested values.

      Database Server Parameters	= port 5432
      Web Server domain		= 127.0.0.1
      Tomcat Server Port		= 8080
      Tomcat Shutdown Port		= 8005
      Tomcat SSL Port			= 8443
      Tomcat AJP Port			= 8009
      LibreOffice Server Port		= 8100
      Alfresco FTP Port		= 21
      
      1. When prompted for an Admin password, choose one and enter it in each of the following 2 selections
        0_1501026074966_eeb48bab-467a-44c2-a626-4ce147c776b2-image.png

      2. When prompted to install Alfresco as a service, choose "y" and press [ENTER]
        0_1501026137498_63a1b75b-7e2a-4f1d-83f5-56b8ffc2ea8a-image.png

      3. Proceed with installation
        0_1501026185059_fa5315bb-f150-479d-91be-5120024dbd09-image.png

      4. Select "n" to view Readme file and Launch Alfresco when prompted.

      This might take a while. Even after the screen shows the server has started, accessing the web page may take a few minutes so be patient. To access the web page go to the IP address of your server in your favorite browser.
      http://192.168.100.78:8080/share

      To configure SSL using Nginx, create a new conf file for your new site (assuming Nginx is already installed). In my case, I am running it on a separate server. I am running Nginx on 192.168.100.77 and Alfresco is running on 192.168.100.78 so my conf file looks like this.

      server {
         listen 80;
         server_name mydomain.com;
         return 301 https://$server_name$request_uri;
      }
      
      server {
        listen 443 ssl http2;
        server_name mydomain.com;
        
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options nosniff;
        add_header Referrer-Policy strict-origin;
        ssl_stapling on;
        ssl_stapling_verify on;
        server_tokens off;
      
        ssl on;
        ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        proxy_cookie_path / "/; secure; HttpOnly";
        rewrite ^/$ /share;
      
      
          location / {
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_set_header X-NginX-Proxy true;
              proxy_pass https://192.168.100.78:8443;
              proxy_redirect off;
      
              # Socket.IO Support
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
         }
      }
      
      1. Test your Nginx conf file and if everything looks ok, restart Nginx
        sudo nginx -y
        sudo systemctl restart nginx

      One important thing to remember is that, and this is the one thing that stumped me for a bit and took some Googling to find, enabling SSL means that you must change the proxy_pass port number as well as protocol to "https" (change IP address as needed). I've removed domain name and site name in the attachment below.
      proxy_pass https://192.168.100.78:8443;
      0_1501026768948_b5b2550d-4067-45f7-8ddd-50a70cb9891d-image.png

      posted in IT Discussion how-to alfresco nginx
      NashBrydgesN
      NashBrydges
    • Duplicate Headers Found But I Can't See Them

      I've finally migrated all of my web servers to use Nginx as a proxy running on a separate server which does nothing but serve as a proxy and manage SSL certs. But when I check raw headers for my new Nextcloud install, I get a warning stating there are duplicates found. The server running Nextcloud has Apache but no SSL configured as that's all managed through the proxy.

      Here is the warning I get.

      0_1500992530295_76771484-17eb-4986-9b72-a5b364a6f9af-image.png

      I don't have anything else running on this server except Nginx. There are other config files but they are for separate domains so I can't understand why it is telling me I have duplicates. I got this warning from both https://securityheaders.io and https://observatory.mozilla.org. Any ideas where I should be looking?

      Here is my Nginx conf file.

      server {
         listen 80;
         server_name mydomain.com;
         return 301 https://$server_name$request_uri;
      }
      
      server {
        listen 443 ssl http2;
        server_name mydomain.com;
        
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options nosniff;
        add_header Referrer-Policy strict-origin;
        ssl_stapling on;
        ssl_stapling_verify on;
        server_tokens off;
      
        ssl on;
        ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        proxy_cookie_path / "/; secure; HttpOnly";
      
      
          location / {
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_set_header X-NginX-Proxy true;
              proxy_pass http://192.168.100.80;
              proxy_redirect off;
      
              # Socket.IO Support
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
         }
      }
      

      My Nextcloud Apache conf file is this.

      <VirtualHost *:80>
       DocumentRoot "/var/www/nextcloud"
       ServerName mydomain.com
      
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
      
      <Directory /var/www/nextcloud/>
       Options +FollowSymlinks
       AllowOverride All
      
       <IfModule mod_dav.c>
       Dav off
       </IfModule>
      
       SetEnv HOME /var/www/nextcloud
       SetEnv HTTP_HOME /var/www/nextcloud
      
      </Directory>
      
      </VirtualHost>
      
      posted in IT Discussion nginx
      NashBrydgesN
      NashBrydges
    • 1 / 1