@JaredBusch said in Fedora 32 server disables root by default:

@scottalanmiller said in Fedora 32 server disables root by default:

@black3dynamite said in Fedora 32 server disables root by default:

@scottalanmiller said in Fedora 32 server disables root by default:

@black3dynamite said in Fedora 32 server disables root by default:

It's been like that since Fedora 31. At least with the netinstall everything iso.

Gotta be the Netinstall because we install this constantly, every few days, and in the Server Edition, it's not there by default.

root account is disabled with the following ISOs:
Fedora-Everything-netinst-x86_64-31-1.9.iso
Fedora-Server-dvd-x86_64-31-1.9.iso
Fedora-Server-netinst-x86_64-31-1.9.iso
Fedora-Workstation-Live-x86_64-31-1.9.iso

Must be in 1.9. We do these constantly and haven't seen it yet.

Was there more than one ISO release of Fedora 31? There is not always.

Not sure. I just looked and we are on the 1.9 ISO and it definitely has a different default.

@stacksofplates said in Securing SSH:

Another really good option is not letting them log directly into the systems at all and forcing them to use a config management tool. So something like Tower or a Jenkins server that logs all of the commands run and has the permissions set there.

Right. Just like the best defense is a good offense (or vice versa?) The most secure port, is a closed port. Locking down SSH, no matter how good, isn't as good as completely closing it.

Or using config management to only open it when necessary, is an "in between" step, too.

I like the idea of the web application firewall, and that looks like something that can setup on the same VM as what would be running Nextcloud, etc.

@JaredBusch said in WP-CLI and database users:

@Pete-S said in WP-CLI and database users:

@JaredBusch said in WP-CLI and database users:

@Pete-S said in WP-CLI and database users:

And when you use -e you should have it after user and password so the SQL commands you want to execute comes after the -e.

That was a once off artifact of me doing it on this system after the root password has been set.

OK, so maybe this then:

sudo mysql -e "CREATE USER $DB_USER@localhost IDENTIFIED by '$DB_PASS';" sudo mysql -e "GRANT ALL ON $DB_NAME.* TO $DB_USER@localhost;" sudo mysql -e "FLUSH PRIVILEGES;"

right. Updating the guide. but half tempted to leave the single quotes everywhere it that causes no error in order to protect against spaces by others. Though I am using pwgen to to this.

It's kind of f*cked up to have spaces in user names and passwords. Personally I don't use something unless it's specifically needed but either way works.

@scottalanmiller

Whole article is great but the last 2 lines are 👍 👍

Shame that NextCloud + OnlyOffice is not really there, I tried it when I was working with MSFF... definitely interesting but needs some time.

Discussion on the policy side of this is over here:

https://mangolassi.it/topic/20894/policies-vs-network-access-control

I've seen issues with search for the last week or so. A few people here have been unable to search public folders or their inboxes on and off. Supposedly resolved. We'll see...

A proper DMZ is still a valid concept, but was never that big of a deal. There are almost no resources that make sense to put there. If you have those resources, then sure. But who does? The advent of cloud computing, cheaper colocation, better IT knowledge, etc. has led most shops to not try to make "internal/external" shared resources where one side is public and the other uses LAN security; and what little of that remains in need is generally addressed with VLANs in a slightly different way.

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@Obsolesce said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Ambarishrh said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Not sure how did they gave you that info! An average pricing structure as below

7455634e-b366-4cb5-af6e-859115ac1fcd-image.png

And security products straight from O365 admin portal subscriptions page:
560b3413-64e4-4a77-9b6c-27030798a842-image.png

These are prices IF you already have one of their subscriptions. If you don't need them or have something else, you're paying $15-$20 per month per endpoint. That's how much it costs per year if you go with other av vendor.

But as mentioned - $15-20 per year is only for typical AV, not an ATP product.

And the difference between the two is.....? ATP is really just a marketing phrase at this point. Here are some features from "traditional" av:

malware protection, both behavioral and definition based ransomware protection phishing protection ids/ips device control exploit blocker botnet protection web filtering memory analysis central management, either cloud or local

And a full forensics audit trail?

I'm really curious which ones have this stuff for 15-18 times less the cost of Defender ATP?

I'm having a hard time finding what the real price here is?

I know that Intune is like $4/user/month. aka $48/user/year. this makes it 2-3 times more expensive than typical AV packages - of course, it gives you a lot more features at that price point.

The above posts have a dozen different security things listed.

As @marcinozga says, typical AV with many of the above mentioned features (but not all - and full forensics trails - forget about it) for like $15-20/user/year

ATP is not available if you have just Intune, you need O365 or M365 Enterprise subscriptions, or Windows 10 Enterprise.
O365 E3 is $20/mo plus ATP add-on, I think it's $2/mo. I don't know how much is Win 10 Ent, so I'm guessing O365 E3 is the cheapest route, at $22/mo, that's $264 a year. Depending on number of endpoints you can get AV for $15/year, perhaps even less.

That's an unfair assessment. If you already have O365 E3, then it's only $24/year/user

Also - is O365 E3 the requirement, or can you add ATP onto E1?

Is windows 10 Enterprise a requirement of ATP? Things I was reading last night never mentioned that.

It is fair. What if you don't have O365 because you don't need it or use something else? Other AV don't force you to buy any extra services, you can get AV on a plain vanilla Windows machine.

From the document I got from Microsoft, E3 is minimum. It's O365 E3 or Windows 10 Ent.

If you're not in the O/M365 ecosystem already - then you likely wouldn't even consider this plan, you would likely look at another option... so yeah, it's not a fair comparison.

Now, you could decide, since you are looking at this solution, that you might want to change your other solutions at the same time since MS has these bundled together... but you don't just line item this entire cost all on the ATP project, you split it out.

@sully93 said in Simple Password Compromise on MailGun:

@scottalanmiller, which service did you go with after dropping MailGun? We are looking at a relay service and have MailGun on our list. This is a bit concerning that they shut you down like that. We're also looking at Postmark and SendGrid.

We made the call to just move to Zoho and get email hosted. We've been super happy with Zoho.

@Kelly said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

It hasn't gone into effect, but as of 1/1/20 you will be operating under this law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

Thanks. At this point, it is only companies that this request would apply to.

@wrx7m said in Sales Person Wants Me to Provide Independent Rep With an Email Account:

@scottalanmiller said in Sales Person Wants Me to Provide Independent Rep With an Email Account:

My second thought is, if having an email account creates a security concern, it is not creating the account that creates the problem, it simply exposes an existing security problem.

Not necessarily security, but accessing features like SFB, OD and Teams. But, as Kelly mentioned, they have Exchange Online P1, which doesn't have any of the other services (different than E1.)

Right, i was assuming that they'd only get email. Even those other things, though, still have security. but no reason to think that you'd provision those, too.

Maybe they have a couple keys...

So I set this up again on a new jump box today.

SSH attempts did not log until I changed the mode to ddos

@mary said in Network Address Translation - CompTIA Network+ N10-007 Prof Messer:

Is there any kind of slowdown when using just one port if you are getting a lot of traffic?

No not really. The most commonly used ports are 80 and 443. They process quite a bit of traffic on your average workstation.

In fact, most servers are designed to work with a single port or just a handful of ports open. For custom applications using a specific port makes it easier to troubleshoot issues and restricts non application traffic. Many apps are defaulting to 443 these days. Although, keep in mind SSL /TLS can operate on other ports.

@brianwinkelmann said in Windows Firewall with Advanced Security - CompTIA A+ 220-1002 Prof Messer:

what about the Windows Defender, I mean the antivirus and the firewall of Windows They go hand in hand right?

They go together as in they are both security components of the Windows operating system. But that's about the extent of it. They are both very good, they should both always be used, they are both for the purpose of security. But they are not actually associated other than in name.

@scottalanmiller said in Network Services - CompTIA A+ 220-1001 Prof Messer:

@valentina said in Network Services - CompTIA A+ 220-1001 Prof Messer:

are proxy servers used for security purposes? do they have other functions?

Yes, very much so.

They are also very commonly used to allow a single IP address to be used for many services. The most common example... a single proxy server with a single (expensive) public IP address can handle requests for hundreds of thousands, or even millions, of websites. Behind the proxy server can be one or one million separate web servers each serving out applications or web sites or whatever and the proxy server can look at the incoming request and determine, based on the URL used, which server and port to send the request to behind itself.

Because of the above, they are often used for load balancing because they can send requests to different servers for the same application or site.

Proxy servers often have caches in them, too. So they quite often store simple, static information "at the edge" to deliver it faster while the application servers behind them do the heavy work for database requests and stuff.

Proxy servers are sometimes used to "hide" the true location of a server. Cloudflare famously does this so that attackers have no idea where a web site actually comes from, all they see is Cloudflare's proxies.

A proxy can also do things like handle SSL security so that web servers behind it (or other servers, proxy doesn't imply web) don't have to do that work, as well.

Hrm, I only have around 20 subdomains pointing to the same IP so far. If my home lab box was a little beefier I'd take this as a challenge. (Scott might as well be describing my home lab environment here.)