So, the idea is to use Vagrant to spin up and destroy KVM virtual machines, and use Ansible to provision and configure said VMs once they are made available. I'll work on getting vagrant to use LVM for provisioning VM storage and I'll review the exhaustive granularity on the base configuration options available and report back. If time permits I'll do a write up / how-to on my blog.

@stacksofplates said in Vagrant and KVM:

What's the advantage to vagrant over just using Ansible with kickstart/preseed config?

From what I understand, Ansible integrates with the VM provisioning done using Vagrant. At the time of VM creation you can define a specific Ansible playbook from withing the Vagrantfile that can completely configure your VM from the base Vagrant image, and kickoff subsequent builds/configurations.

Vagrant alone is usually used directly by developers to build one-off environments that conform to the production environment's constraints. Ansible is most often used as an automation tool for Operations/DevOps to force/maintain uniformity/conformity of configuration in a production environment. Blending the two together aids in simplifying the configuration management of both production and development environments.

Hypothetically, I believe you could do everything you need to do in the absence of Vagrant just using Ansible and Ansible playbooks. I have a hunch that Vagrant allows you to abstract the base VM configuration out of your Ansible Playbooks and configurations and helps reduce the complexity of your playbooks and speeds VM deployment and administration. I'll hopefully be able to confirm that in the not so distant future...

http://docs.ansible.com/ansible/guide_vagrant.html

@scottalanmiller said in FreePBX Remote Extension Problems:

@coliver said in FreePBX Remote Extension Problems:

With that Yealink I'm pretty sure you can limit communication over SIP to just the Asterisk server. I think it is the security section.

That's not where the security concern is, though. It's the other way, you want to limit it on the PBX. That people can use your handset for other things really doesn't matter.

The problem is the calls are being made directly to the device, circumventing the PBX completely... I'm getting odd extensions like 10001 and 1001 ringing the phone constantly.

I found an option in the devices configuration for IP calling that was enabled. So far (fingers crossed) since disabling that the problem has stopped.

For anyone else experiencing the issue, the option is:

Yealink WEB UI > Features tab > General Information Page > "Allow IP Calling"

Set the above to Disabled and confirm changes.

@scottalanmiller said in FreePBX Remote Extension Problems:

@coliver said in FreePBX Remote Extension Problems:

@RamblingBiped said in FreePBX Remote Extension Problems:

The caller is not originating from our FreePBX instance, and is spamming the device directly.

Wouldn't that seem to indicate that blocking all traffic but the SIP traffic from the PBX would resolve the issue of unsolicited calls?

I guess I might have the wrong end of the stick... are the phones getting calls that are NOT from the PBX? Rather than the PBX having anonymous calls routed through it?

Exactly. It seems that there are scripts running constantly looking for open sip ports on public IPs. When they find them they attempt to make calls directly to the IP hoping to uncover an avenue of exploitation.

@wirestyle22 said in FreePBX Remote Extension Problems:

@RamblingBiped said in FreePBX Remote Extension Problems:

Aaaaaand I just received another call from some random extension.

Problem un-resolved.

Is there a direct number associated with the phone that they could be calling directly instead of routing to it?

No, I've actually got the DID/inbound route for dialing the phone directly tied to a Ring Group that rings a pair of phones; that is one of the reasons I know it is being dialed directly.

@thwr said in Disable folder redirection for specific users:

A deny-rule should do:
https://support.microsoft.com/en-us/kb/816100

Well, I want the folder direction to apply to everyone, just not people using this specific laptop (and possibily other laptops in the future). From what I understand I should be able to create a new OU nested within my Domain structure as described above, link the new group policy forcing folder redirection back to local directories, and then put any devices on the domain in that OU to make the changes effective.

Update:  So I got sick of chasing my tail on the problem and blew the machine out of the water and did a fresh build.  Upon finishing updates, re-joining the domain, and moving the laptop into the new OU to apply the new policy to squash document redirection and... it automagically works!

Upon further investigation, the user had tried to initially make changes to the registry to "fix/correct" document redirection that was put in place by default. Yes, I know, "USERS SHOULDN'T HAVE THE ABILITY TO EDIT THE REGISTRY!!!" Well, in my case and the use case for these devices they have to have that ability.  The laptops are used for development and they need to have full control over the systems.  Also, the user is the CEO.

Thank you for the help!

@chrisnbrooks said in Disable folder redirection for specific users:

In my GP implementation of Folder Redirection, I have a User Group for Redirected Folders and my policy only applies to users in that group. In order to disable Redirection, I simply remove that user from the group. Just had to do this for a user today, which reminded me of this thread. Hope you found an elegant solution here!

Yeah, the functionality I needed was having users keep their folder redirection, but only removing it on specific devices. My problem ended up being my user turning their Windows registry into swiss cheese trying to "fix" the folder redirection themselves before coming to me. Once I did a rebuild and repeated the process I found the problem wasn't my group policy implementation.

Everything is now working as expected/desired.

@Dashrender said in I'll Show You Mine If You Show Me Yours, Home Labs:

Are those RAM sticks tiny? otherwise why so many?

Because I can? The price of 72GB versus 48GB was negligible at the time of purchase so I went ahead and went with the larger amount and had them populate all the slots.

@Dashrender said in I'll Show You Mine If You Show Me Yours, Home Labs:

@RamblingBiped said in I'll Show You Mine If You Show Me Yours, Home Labs:

@Dashrender said in I'll Show You Mine If You Show Me Yours, Home Labs:

Are those RAM sticks tiny? otherwise why so many?

Because I can? The price of 72GB versus 48GB was negligible at the time of purchase so I went ahead and went with the larger amount and had them populate all the slots.

negligible? as in $20? or $200?

Less than $30 at the time I purchased it., the seller on ebay actually put the components I wanted together in a bundle for me and agreed on the price.

@scottalanmiller said in Favorite Linux Distro:

I'm posting from Ubuntu 16.04.1 and it's okay, but it's no Mint. But it installs on this laptop, so it is what it is.

I only choose Ubuntu for my desktop installs because it is quick, easy, and what most of my Engineers prefer/standardize things on. If I really wanted to put time and effort into it I would probably go with Mint or OpenSUSE. Right now, and until I get the time to put some serious study into powershell, I spend 90%+ time inside a terminal multiplexer accessed via a Putty session to one of my jump boxes. I might touch a Linux desktop once every couple weeks? As long as I have a working Firefox or Chrome browser I'm generally content.

I believe there is a wizard for setting up dual WAN. I've not configured any specific QoS via the Web GUI yet, but I can't imagine it would be much of a hassle. Everything I've setup via the web GUI has been very intuitive. I'm not powering my current AP off of the PoE passthrough, but I believe it should work. I'm sure someone will be chiming in soon that has it working in the wild.

DenyHosts is an alternative to Fail2Ban in regards to supplementing best practices of a properly configured ssh server. Fail2Ban allows you to configure jails for SSH and numerous other services, whereas DenyHosts is set to work only with SSH. If you're running on a resource-light VPS or VM, DenyHosts might be less of a tax on your system than a Fail2Ban implementation.

Make sure you take into consideration any risk that the company is mitigating by providing these services. What happens if data on the file server is somehow compromised? What will be the resulting fines/fees associated with the loss? Will you have to have your server audited by an external entity regularly? Who is going to perform the audits and how much will they cost?

I'm in the research stage of purchasing a NAS for my Home Lab. I'm looking at the prices on 2 and 4 bay units and starting to wonder if I shouldn't just purchase a used server off of ebay and turn it into a NAS using FreeBSD or Linux.

$100-$200 for used server + $200-$300 for drives, or ~$400 for a small NAS and $200-$300 for drives?

I imagine the smaller NAS will use less energy and have a smaller footprint, but in reality I don't really care if it eats a little more juice; it will be living in my basement with my hypervisor.

Thoughts? Recommendations on other options I may not have considered?

Does anyone have a reliable guide for setting up a ZeroTier host?

All intelligible and reasonable use cases aside, I might try and work on this a little this weekend to see if I can get a host up and running on my home network. If I do I will try and document the process and put it out in the wild.

I think this is their documentation for getting started: https://github.com/zerotier/ZeroTierOne/tree/master/controller

Congratulations on being a certified Certified Ethical Hacker!

So the issues seems to be network related... How I'm not sure. I have remote access to his system and I'm able to browse local directories just fine. If I open an application like notepad and attempt to save a file it hangs for around 90 seconds before opening the Save As dialog box.

I've also done the following:

-disabled Antivirus
-disabled firewall
-changed quick access to "This PC"
-disconnected all network drives

I'm currently trying the SFC / DISM "solution" right now. But the fact that this works without issue when he's disconnected from a network is really odd. And the fact that I can browse all local directories and create new folders/files directly in File Explorer without any issue is kind of strange as well.

So I downloaded SysInternals TCPView and ran it while trying to save a test file from Notepad.exe. Lo and behold, the application tries to access the disconnected network drive via ip address over http. WHY?!?!?!?!

Any clues as to how I can stop this from happening? Any idea WHY it is trying to access a network share that has been disconnected?