If you want to run Geekbench 4 on a linux server, this is how to install and run it.
Note that you need to have a working internet connection on the server.
You can run it as root or as any other user.

Let's start from the home directory and put the files there.
cd

Download the files from geekbench.com:
(change version number if needed for latest version)
wget http://cdn.geekbench.com/Geekbench-4.3.3-Linux.tar.gz

Extract the downloaded files:
tar -zxvf Geekbench-4.3.3-Linux.tar.gz

Go to the extracted folder:
cd Geekbench-4.3.3-Linux

Run the test in tryout mode, results are uploaded automatically:
./geekbench_x86_64

After a few minutes the test is completed and you'll see a link to a webpage which is unique for each test.

Upload succeeded. Visit the following link and view your results online:
https://browser.geekbench.com/v4/cpu/1234567

Just enter the link in any browser and you'll see the results of the test.

@dbeato said in NVMe and RAID?:

One of the first Dell Servers with Hotswap NVME was the R7415 so yeah
https://www.dell.com/en-us/work/shop/povw/poweredge-r7415

Not sure what others have seen.

The newer ones have a 5 in the model number, so R7515, R6515 etc.
That's the ones you want to buy. AMD Epyc 2 Rome CPUs.

Dual sockets models are R7525, R6525 etc.

And to make this complete: 6 is 1U and 7 is 2U. R7515, R6515 etc.

@jasgot said in Macbook Air for College:

Daughter wants a Mac laptop for college. Any suggestions?

Yes, take her to the store and buy the one she wants.

Buying an Apple product is not a technical issue that needs to be figured out. It's an emotional issue. Like a Gucci bag.

If you have a RAID controller with 8 ports, you can connect up to 8 SAS/SATA drives directly to the RAID controller. That's fine but if you for instance have a server with say 36 drive bays you would need a 36 port RAID controller. Those are hard or maybe even impossible to find.

Well, here is where the SAS expander comes into play. It will work somewhat like a network switch but for SAS/SATA ports.

The SAS expander IC can be integrated directly on the backplane of the drive bays or it can be a standalone card or PCIe card. These are often used when you have more than 8 drive bays and even more so when you have 16 or more drive bays.

It allows you to expand the number of drives the RAID controller is able to connect to. It's transparent to the user because the RAID cards have integrated support for SAS expanders. This is also true of HBAs (Host Bus Adapters).

The only drawback is that the maximum transfer rate is, as always, limited by the PCIe link to the RAID controller card but also by the SAS connections from the RAID controller to the SAS expander. In real life though these bottlenecks are seldom bottlenecks as it's uncommon to read from all drives at the same time and drives are also often slower, especially when using HDDs.

SAS expanders are also used heavily in external JBOD chassis which are expander chassis for drive bays that you connect to a server so you can attach more drives than fits in the standard enclosure, aka Direct Attached Storage DAS. In that case the SAS expander sits inside the JBOD chassis.

@hobbit666 said in How to Secure a Website at Home:

Why not GitHub or GitLab for free?

That was part of the etc
Also I thought GitHub was more for storing scripts and opensource stuff.

It's not generic hosting of websites as you don't have control like you would on a normal webserver.

It's simplified hosting and the github/gitlab pages was initially intended to complement the projects on there. So it would be easy to make a html website from the git repositories, for instance for documentation.

Since you can store any files on gitlab/github you could of course also use the pages for any type of static website.

Here is how to get started in the simplest way possible:
https://guides.github.com/features/pages/

Good to know about WoeUSB.

If you have windows available, rufus is an easy tool to make bootable USB drives.
Doesn't need to be installed and it's fast.
https://rufus.akeo.ie/

But in all honesty it's very easy to make a bootable windows installer USB drive manually. Just make a primary bootable FAT32 partition on the USB drive and copy the files from the ISO onto it. Done.

You can copy more files onto the drive, for instance drivers or other software. If you do that, it makes sense to make a dd image of the entire thing when you're done. That way you can easily write a new USB drive with your custom files on it.

First, ransomware is big business run by organized crime. I think about 19 billion dollar per year industry.

Everything can be compromised in different ways. There is just no way to protect your data 100% and to think otherwise is just naive.

We have chosen to go with tape as our last line of defense. Once you take it offline there is no way it can be remotely compromised. We believe that is enough to be able to recover from most attacks and the cost is reasonable.

Integrity of files

If you want to check the integrity of a bunch of files you can do it with md5deep, which can be thought of as a recursive version of md5sum. It was initially designed for forensic work.

If a file has the same hash as another file they are identical. If you save the md5 hash of a file and later recheck it, you can be sure the file hasn't been changed, corrupted or tampered with.

Installation on Debian

You'll find it in the package md5deep.

apt install md5deep

Inside the package you'll also find sha256deep and some other good stuff. Use sha256deep instead if you want to use sha256 hash. It's better and actually more secure than md5 but might be slower. You use it in the exact the same way though.

Besides linux it's also available on other OSs such as Windows, MacOS. You can build it from source too. https://github.com/jessek/hashdeep

Create MD5 signatures

md5deep -rl /check_this_dir/* > files.md5

This will create a text file (files.md5) with the md5 hash of all files (*) in the "/check_this_dir" directory.

Check MD5 signatures

md5deep -rlX files.md5 /check_this_dir/*

It will return the files that don't match. So if any file has been changed, it will show up.

Common Options

-r is to go into subdirectories as well
-l is to use local paths instead of absolute paths
-X is to do check the signatures

-e is if you want to see the progress while it's working.

Find more info on basic usage with examples here:
http://md5deep.sourceforge.net/start-md5deep.html#basic

Example

Let's check that our files in /boot and it's sub-directories stays intact.

First let's create an md5 file that we will compare with.

md5deep -r /boot/ > boot.md5

Let's verify the files have not been tampered with.

md5deep -rX boot.md5 /boot/ 

If a file or several files has been changed it will return the file and the new hash (exit code 1).
If all is good it will not return anything (exit code 0).

Maybe stop using USB drives for things they aren't designed for?

It looks like we've been down this road before.
https://mangolassi.it/topic/20070/so-xen-server-gave-me-an-error-what-do-i-do

A small SSD would do better. Something with write endurance and something that is designed to attached 24/7 in a hot environment.

If you don't have drive bays or don't want to waste them, use satadom.

Maybe I'm alone but on the top of my list:

1. Only use Microsoft as a last resort when all other options have been explored.
2. If you get paid by the hour disregard #1.

@dashrender said in New customer - greenfield setup:

@jaredbusch said in New customer - greenfield setup:

@dashrender said in New customer - greenfield setup:

Should they go DNS filtering or NGFW with filtering subscription?

2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.

I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.

Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.

That's just the thing. You need to block that crap.

• Block DNS over TLS in the firewall (port 853 outgoing).
• Block DNS over HTTPS in the firewall (port 443 outgoing to IPs of all known DNS providers like 1.1.1.1, 8.8.8.8 etc).
• Block DNS in the firewall (port 53 outgoing)
• Set up your DNS filtering and set the firewall to provide that DNS to everything on the LAN.

My general rule is to block everything outgoing except 80 (for redirect purposes) and 443. Then open up as needed.

Whats new?

About 6 months ago Zoho updated their Admin Console for Zoho Mail.
It was mostly a user interface refresh, or so it looked like.

What Zoho didn't mention is that they actually added the ability to have DMARC reports analyzed automatically and view the statistics.

If you have Zoho Mail (paid plans only) the reports are here:
https://mailadmin.zoho.com/cpanel/reports.do#reports/dmarc/failure

Documentation is here:
https://www.zoho.com/mail/help/adminconsole/organization-email-reports.html#alink5

---

How do I get the reports into Zoho?

To get these reports you have to have SPF, DKIM and DMARC set up on your domain with reporting enabled.

You should have a DNS TXT record on your domain called _dmarc.
For example set to: v=DMARC1; p=reject; rua=mailto:[email protected]

It looks like Zoho is snooping up reports automatically, if the receiving email set above is in your domain. We use [email protected]

---

What are DMARC reports?

For those that don't know, DMARC reports are the only way to detect if someone is using your domain to send out spam or malicious emails that looks like they came from your domain. Or if an email server is sending out emails that are legitimate but misconfigured - often causing the emails to end up in spam or rejected. Without DMARC reports you would never know if that happened.

The actual DMARC reports are xml files that are emailed back to you from other email providers, like Microsoft or Google. They provide information on how the receiving end analyzes incoming email looking at your DNS records for SPF, DKIM and DMARC settings and compare that to what is in the actual email.

---

I don't use Zoho - I use Microsoft, Google etc...

Well, normally your email provider can't help you with this.

You need to sign up with a third-party service to analyze your DMARC reports. And then they would provide the statistics for you.

Hopefully Microsoft, Google etc will follow suit and provide analysis directly in their mail admin panels.

@jaredbusch said in beyond bash shell scripting, what language should I use:

So I have a need to move a few scrips beyond basic bash shell scripts.

Typical OS is Fedora ecosystem, second most used is Debian.

The script will need to execute other applications like ffmpeg and scp/rsync.

What language should I use?

I assume the first answer will be python, which I am not a fan of, but can use.
Maybe go? Seriously open to suggestions.

There is no general answer to your question.

The real question is what are you trying to accomplish that shell scripts can't or doesn't do a good job at? And what's the most suitable language/languages for that task?

For example when you say "execute other applications" that implies shell scripts because that is what they do best. If you wanted to use ffmpeg libraries for encoding, decoding and such that would have been a totally different thing and shell scripts would'nt have been an option.

@stacksofplates said in GKE Auto Scaling down to shut down resource usage and save costs.:

@pete-s said in GKE Auto Scaling down to shut down resource usage and save costs.:

@irj
Interesting, I know nothing but aren't you using the cluster autoscaler?

It's supposed to scale up and down automatically as needed with the settings you give it. If it doesn't scale down as far as you like, have a look at the settings.

Autoscaling depends on the apps. If your app can't withstand a shutdown it's not a good idea. When more nodes are added the scheduler might move the pod to a different machine.

Yes, but that is why you have settings. How far you want to be able to scale down and how far you want to be able to scale up.

But I don't know much about it though except what I've picked up from videos like the one below:

Youtube Video

You should be able to find HPE switches like 1820 with POE.

@irj
Interesting, I know nothing but aren't you using the cluster autoscaler?

It's supposed to scale up and down automatically as needed with the settings you give it. If it doesn't scale down as far as you like, have a look at the settings.

@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.

Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?

Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.

@dashrender said in SPF records - for all A records?:

This site is pretty good also for checking the whole mailing stack
https://www.checktls.com/TestReceiver

That one was new to me. I'm going to check it out.

Another awesome resource, one that can test your own email from the receiving end is https://www.learndmarc.com/
It just great and will explain what happens.

It's made by uriports. We just started to evaluate their DMARC report monitoring service. Looking good so far.

@dashrender said in SPF records - for all A records?:

I'm reading up on SPF/DKIM/DMARC and ran across several posts where people indicate they create SPF records for all all A records in their DNS (not sure why they would skip C Names?)

Is this really necessary? Does anyone else here do that?

Here is one such comment

It is a best practice to have a "does not send" SPF record (i.e. "v=spf1 -all") on every HOST within a domain that doesn't otherwise have a different SPF record -- as well as for the domain itself plus any non-host label in the domain that has MX or SMTP-service-SRV records. The idea is to permit detection that the host-part of a sending mailbox is forged, and for those idiots that don't check others' SPF records, that you have protected all possible labels in your domain that could be backscatter targets.

It's indeed best practice to do so.
http://www.open-spf.org/FAQ/Common_mistakes/#all-domains

I haven't bothered though. But I have DKIM and DMARC also setup. If both SPF and DKIM fails, the DMARC policy instructs the receiver to completely reject the email.

Just using SPF isn't an effective measure against spoofed emails. DKIM adds a secure signature to each mail and DMARC is the policy on what the receiving end should do.

From received DMARC reports you can see when servers are trying to spoof your domain's email addresses.

BTW you only need to add an SPF for the A record because that is where the IP address is. CNAME is just a pointer to another A record.

Use something like this to check you SPF records:
https://www.dmarcanalyzer.com/spf/checker/
On this one you'll see how SPF records are resolved to IP addresses, sometimes in multiple levels.

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247

On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.

So maybe you're overcomplicating things.

Yeah I think that's my issue. I was at home when I joined my test system to the domain so it couldn't finish the task and cache my credentials. I will have to play around with stuff a bit more not on the weekend. I think I can get this working the way I want...

For starters have a look at "Interactive logon: Number of previous logons to cache (in case domain controller is not available)".

I think Windows 10 will cache by default but not if there are GPO settings overriding it or the registry has been altered. I haven't played with it much so I'm not sure if there is anything else that needs to be looked at.