@Dashrender said in Does block level sync exist?:

@scottalanmiller said in Does block level sync exist?:

@Fredtx said in Does block level sync exist?:

@scottalanmiller Let me clarify. I want to make sure the "good" backups are copied to the offsite storage. So if the building were to catch on fire or something, and the good copies are destroyed. I would want to be able to restore from the offsite storage. In my case, some of the data was missing from the offsite storage that should have been replicated from the local "good" backup. Not sure what happened, and why it was not copied over, but it did not. I figured there would be some kind of sync mechanism that would have caught that ahead of time, which Barracuda said there is no such sync. That is why I reached out to the community.

We understand. And that's important because clearly your sync failed. It's just that it also exposed the fact that the original backups are not application aware (unless there is no application) so something that you should see as a very, very large issue. If you are responsible for the backups, that is. Otherwise, not your monkeys, not your circus.

You're making an assumption that there's an app to backup - which wasn't 100% clear until this post. As you mention - he might just be backing up file servers - so no app involved - just files to backup.

Even a pure file server is normally accessed. "File server" is a form of "database". A very specific form, but surprisingly similar to a document database. It would be super weird, but not actually impossible, to have a file server that holds files but is never accessed. but once you start accessing files, it's an application doing the accessing and we are right back to where we started. File servers tend to have known usage patterns and accepted backup failure modes, but the issue hasn't changed. It just feels that way. No file exists without an application.

@Pete-S said in Production KVM server "hardening"?:

I'm thinking about running pure KVM on debian for virtualization hosts. Not Proxmox. There will be no GUI on the servers, no web interface, only ssh for management.

Do I need to do anything special to lock down the security?

I've never used KVM in production, only on my desktop and then I've had virt-manager as well as tools like virtsh. So I don't really know what is required for a pure KVM server to be as "secure" as proxmox, xcp-ng or whatever.

Keep the OS and everything updated. Keep drivers updated. Keep firmware updated. Use only key-based auth for SSH, add only specific devices to authorized_keys file. Ensure firewall configured well. Set up log alerts for access.

@Dashrender said in Per User RDP license check:

@pmoncho said in Per User RDP license check:

I want to install a piece of software on the license server this afternoon to finish off a project and it will require a reboot.

I wanted to reboot it in the middle of the day but don't want to cause an issue and get "The remote session was disconnected because there are no Remote Desktop License Servers available ...."

Don't need 30-40 calling with an issue.

wow - OK... While my gut tells me you'd be fine - the issue I would expect you to POSSIBLY get is someone trying to sign in right while the reboot is happening - but otherwise I would expect everything else to just stay running. But don't really know.

I was thinking the same thing. As they say, timing is everything.

Hell hath no fury, like a medical receptionist scorned. 🙂

@JaredBusch said in RDP/RDS hardening (borrowed from another topic):

@scottalanmiller said in RDP/RDS hardening (borrowed from another topic):

I don't consider unpatched an issue - at least not an RDP issue.

That one had an exploit live before it was patched.

oh okay, that's a serious issue then, for sure.

@scottalanmiller said in Weird DNS resolution issue:

@Dashrender said in Weird DNS resolution issue:

I suppose it's possible that would have resolved this specific issue as the router would have been the only device making connections to the external DNS... but then again - it could have caused all machines to go without DNS when the upstream server stopped responding...

Not very likely. Plausible, but not likely enough to avoid it.

sure - but then again, I've never seen this situation before either - so I would have previously called it unlikely.

All good points.... I've been sitting alone with my thoughts for too long, good thing it's Friday.... Just an hour left

@scottalanmiller said in 2 disks or 1 disk with 2 partitions for new VM?:

@JaredBusch said in 2 disks or 1 disk with 2 partitions for new VM?:

@Dashrender said in 2 disks or 1 disk with 2 partitions for new VM?:

because smart phones have been out since the early 2000's

iPhone was released in 2007

I got my smart phone in 2006 and most people I worked with had had them for years at that point.

People had blackberry and palmOS devices, I did also.

But the smartphone was not mass market until after the original iPhone.

@IRJ said in Steam Deck - The Linux mobile hardware and OS we have always wanted:

My first thought was why KDE as well. In reality though, no desktop environment is a perfect fit.

Oh for sure. My first hunch would have been to stick with the default that everyone already knows and uses or to go with Deepin because it is so modern and slick.

Don't get me wrong, I'm a fan of KDE and like what they do. It's good to see them keeping a presence in such an important and large scale device.

@Romo will be proud as he's a KDE user.

Much of the point of the physical card is to make a mental pathway in the human, not the phone, which builds a memory and enforces the connection. That's why we use paper, the way it interacts with the person.

Paper cards can always have all the info you want AND a QR code to allow for the digital transfer in a more universal way. That digital card isn't going to work with a laptop very likely. I have no idea how they work, as I've never had someone attempt to use one. If my phone is dead or not on me, it's useless. If my phone doesn't have your app, it's useless (I presume.) If I don't have the right kind of phone, I'm annoyed that you made me keep trying something you've not tested. Paper is universal and works.

Also, not me, but I know a lot of people who use paper cards as little note cards to write additional info on. Can't do that with the digital.

We use Zabbix and Grafana. Not Nagios. But similar goals.

@Dashrender said in Damaged/Lost Iphone in default setup - HIPAA secure?:

@scottalanmiller said in Damaged/Lost Iphone in default setup - HIPAA secure?:

If the question is "Can Israeli quasi-government hacking agencies get your data if necessary", then no. But it was never secure at all.

LOL - Not sure where the Israeli quasi thing came from - but thanks for the laugh.

The world's most advanced hacking toolsets are made by arm's length government contractors in Israel. That's where that tech is currently made pretty much regardless of which governments are using it.

@Pete-S said in Live migration Proxmox?:

@JaredBusch said in Live migration Proxmox?:

@Pete-S That is what the docs say. I have never tried.

But also, why not have everything in the cluster? What is the need to make them "individual" hosts?

Pools (resource pools) as they are called in xenserver/xcp-ng will put at lot of restrictions on the hosts.

Pools are managed as one entity (through the pool master) and works best when you have shared storage.

They are however a huge hassle when you don't have shared storage. So hosts that use local storage and are individual are best kept as separate hosts. So in this case everything started out as pools but have been migrated to individual hosts.

Maybe it works differently in Proxmox, I've only used it in the lab on a single host.

I manage multiple servers through the single IP of the cluster, but you can still directly access the individual nodes if you desire.

I do not know about resource pools and such as I have not used those with Proxmox yet. Just multiple servers in a cluster, but no shared resources more than a setup for replication at one place. But that one is only for replication, so not a good example.

@Dashrender I got th review unit back; and yes you can backup and restore the config from the on board controller:
512eafd3-c287-422a-94c5-00924071b745-image.png

@travisdh1 said in TP-link business switches?:

@scottalanmiller said in TP-link business switches?:

@Dashrender said in TP-link business switches?:

@JaredBusch said in TP-link business switches?:

@scottalanmiller said in TP-link business switches?:

Yes, that's what I'm talking about. It's free and they host it for you. We've been using it for a few years. It's really quite nice. It's different than Unifi, which I can't explain. But it does a good job.

I've been using UNMS since it came out. They rebranded it to UISP a couple years ago. I had no idea, or forgot, that they had a free hosted version of it.

Yeah free hosted version as long as you have 5+ devices attached to it.

And they aren't very serious about the limits. If you are a vendor, you'll have enough to do it for free easily.

I almost have enough devices with just my personal stuff!

Exactly, it's not hard. Especially when the simplest devices count. Buy a couple for your lab and voila.

@JaredBusch said in AP's geared toward home use?:

For home use, not being setup like a business, you use the mesh router setups on the market today.

From Ubiquiti, it is the AMPLIFI line

From TP-LINK it is called Deco

Home users should never have business gear setup unless they are a hobbyist or something.

I’ve got an amplifi and my mom has a deco. Both work really well and can easily be managed from the app. This is pretty much what I recommend to people now.

My old post on the topic.
https://www.mangolassi.it/topic/13020/estimating-sip-trunk-costs

@gjacobse said in UBNT: Disable SSID per AP:

@travisdh1
Version 7.1.66

They probably changed it.

Guess it's time for me to upgrade.

@stacksofplates said in Experience with NDR Solutions:

Why is Sally accessing this service from a non work computer at 3 am her time with a chinese IP address? Sure this request has the password but that doesn't sound valid.

Which means you can automatically perform additional validation with MFA, or straight up deny access.

There's a lot of options really. You can only allow access to certain systems and/or services via company devices enrolled in MDM, with up to date OS, encryption, and endpoint protection. You can verify endpoints and users with passwordless auth via Beyond Identity and in certain cases use additional MFA via Duo or whatever you want to set up.

Sally is trying to log in to her company email. She's authenticated via passwordless auth via Beyond Identity on her work computer. Her work computer passes the health check seamlessly through BYID and allows her to access her email. Maybe she's also prompted for MFA always, or maybe only if she's logging in outside her normal geographic area on her work computer. Maybe (e.g. email) access is denied totally if from a non-company device. Options...