@adam.ierymenko said:

@Dashrender "That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!"

You can't secure things by breaking them. People will find ways around your barriers because they need things to work, and the things they cobble together will probably be less secure than what you started with. You have to secure things by actually securing them.

Fundamentally the endpoint is either secure or it is not. If it's not, all someone has to do is get into something behind your firewall and they own you. Increasingly that something could be a printer, a light bulb, or a microwave oven. How often do you patch your light bulbs? If the cloud killed the firewall, then IoT will dig it up and cremate it and encase it in concrete and re-bury it.

My approach to security is: secure everything as if it will be totally exposed on the public Internet, then add firewalls and such as an afterthought if appropriate. If something is not secure enough to be exposed to the public Internet without a firewall, it's not secure enough to be connected to any network ever.

So what would be an appropriate situation to use a firewall if nothing that is secure enough to be exposed to the public internet without a firewall should be connected to a network?

Confess anything from worst parts of your job to the worst part of your configuration and why you can't change it. I'll go first.

My server room is cooled by a typical consumer grade window unit that management refuses to change. It broke Friday without me knowing. I came in today (Monday) and my server room was 85 degrees and climbing. They don't listen to me and then still hold me responsible for the end results.

@scottalanmiller said:

Time for me to go game with the kids.

Ori and the Blind Forest is on sale 50% off ($9.99--Steam). I think it's a great game for anyone. I know you just recently purchased a ton of games but if you didn't pick that up I definitely suggest you do. Happy gaming!

@scottalanmiller said:

@wirestyle22 said:

Thanks very much for this!

You bet. I have been needing to do this for forever. Time to finally start putting this together as a resource.

Sounds like our needs aligned hah

Thanks very much for this!

@scottalanmiller said:

I am trying hard to keep several new articles coming each week.

I appreciate that greatly. I'll be updating my progress and I'm sure I'll be asking a lot of questions to break everything down and provide hypotheticals.

@scottalanmiller said:

@Reid-Cooper said:

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

I hear that it comes highly recommended.

I will certainly check it out. I'm building my Linux Test Environment Server. I'm going to use it for a myriad of things.

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

There are no stupid questions only stupid answers

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

Sounds like it would also mitigate denial of service attacks as well or just logins?

It actually enables DoS attacks, to some degree.

Can you explain in more detail? Is this because it creates overhead?

Creates overhead and causes a system to deny access from an IP address. What to block a system from being able to server requests... just hit it from lots of IP addresses and get it to start blocking them. Instant denial of service.

Ah, that makes sense. Thanks.

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

Sounds like it would also mitigate denial of service attacks as well or just logins?

It actually enables DoS attacks, to some degree.

Can you explain in more detail? Is this because it creates overhead?

@scottalanmiller said:

Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

Sounds like it would also mitigate denial of service attacks as well or just logins?

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

Do tons of people really think that virtualize is visualize or is this just an autocorrect thing? That it only happens in certain groups of people and not, for example, here makes me think that it is not an autocorrect problem.

It's just people. Just like laser vs. lazer

Who the heck writes lazer, outside of tag, of course?

Mutants

@dafyre said:

@scottalanmiller said:

Do tons of people really think that virtualize is visualize or is this just an autocorrect thing? That it only happens in certain groups of people and not, for example, here makes me think that it is not an autocorrect problem.

Could it be these people are simply in a hurry to post, or perhaps english is not their first language?

it could

@scottalanmiller said:

Do tons of people really think that virtualize is visualize or is this just an autocorrect thing? That it only happens in certain groups of people and not, for example, here makes me think that it is not an autocorrect problem.

It's just people. Just like laser vs. lazer

@Breffni-Potter said:

@scottalanmiller said:

@Breffni-Potter said:

Hmm, I can't remember exactly but I think the BBC actually pulled this off with a particular product.

I can't remember what it's called.

You can do it, like I can build it with GFS2 and DRBD, the problem is once a WAN link fails you have a disaster. Do you simply cut everyone off? Or do you allow local edits?

No I mean actually sorting it despite that.

Done some googling to see if I can find the product but can't but effectively, the storage at each location is ireelevant, what you do is use a digital assest management system.

This does your versioning of media files, checking, quality control. It's a very different way of working to "everyone throw your data into a file browser"

I would think it depends on the system and how it actually checks if a file is being accessed. If the WAN link is down it would most likely assume that no one else has it opened or just error out if its configured to do that if unable to connect. I haven't had to do this though.

@scottalanmiller said:

@wirestyle22 said:

So really we're trying to figure out how to combine all of the changes, correct? Can't this be done with .tmp files fragmenting and then recombining?

Not generically, no. Combining changes is never something that can be handled by storage. An application might be able to do that, but a storage system never can.

Yeah I mean at the application level. She would need a third party piece of software that specifically handles this--which is another point of failure

@scottalanmiller said:

@StefUk said:

@JaredBusch @JaredBusch @scottalanmiller

that's good in terms of replication.
but what about working on the same files - project ? what you are saying is that there is no way to get them to work on the same project without file version issues ?

Correct, there is not. If they each have a copy of their own data, they each have an opportunity to work on them at the same time. Once you have multiple masters, you have issues. No way around that.

So really we're trying to figure out how to combine all of the changes, correct? Can't this be done with .tmp files fragmenting and then recombining? I'm sure their software doesn't support this but I'm just asking hypothetically for my own knowledge.

@scottalanmiller said:

My take on it is... you don't. It's not a reasonable thing to attempt to do. You make people change their processes.

Where are the sites located?

@dafyre said:

Yeah. It's really slick the way they do it, and it does work relatively well. I was out for 2 weeks when I got my cochlear implant a few months ago. I spent one of those weeks working from home using ZeroTier to connect to my office machine.

We currently have everyone connecting through an RDP client to a Terminal Server. I inherited this network and they do not embrace any kind of change here