@jaredbusch said in Fedora Update Breaks httpd:
So, if you followed the original instructions, you can use this to fix it.
sed -i "s/access\.log/httpd\/access_log/" /etc/httpd/conf.d/bookstack.confThen start apache.
systemctl start httpd
As always, thanks @JaredBusch that fixed it for me as well.
I have a client who is about to migrate to using Let's Encrypt for SSL instead of their standard SSL issuer and fully manual process they had before. They host many hundreds of sites and manually updating certs was just ridiculously time consuming for them.
I'm looking to setup Nginx in Active-Passive HA mode so that when the cert update job takes Nginx offline for up to 15-20mins, the sites aren't taken offline.
I've found a couple tutorials that explain the setup process and will be testing this setup to death before it goes online (virtual IP, defining the master/passive node...etc) but I'm wondering if there is a best-practice for the SSL certs location. Should each Nginx instance host its own set of certs for the same domains? In this case, running the renew script on one would renew certs on only that instance (since Nginx has to reload to use the new certs) and then renew on the other node? I can't imagine I should save the certs on some network location because the remaining Nginx node would not be able to use the new certs until reload so in effect negating the HA setup. Should I simply have a script to copy the new certs to the other node after the master comes back online and then reload the other node's Nginx service?
The majority of these sites are low traffic (fewer than 100 visits a day) so offline sites for a few minutes a day or once a week during early morning hours isn't going to kill anyone but it's still a good plan to setup the HA proxies should one go down and a bonus if we can keep sites online while certs are getting renewed.
Thoughts? Recommendations? Gotchas?
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
@dashrender said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?
We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?
There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.
No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.
As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.
@scottalanmiller said in Ubiquity Security appliance:
So it’s only beneficial if the pros outweigh the cons.
Totally agree here!
@brandon220 said in Ubiquity Security appliance:
For normal firewalls I have the ER-Lite models deployed everywhere including my home. For places that needed the UTM functions I went with Sophos. I definitely have more ERs deployed. I have one client that is a large construction company. They tried everything including Cisco ASA (many different models) Sonicwall, Meraki, and some I don't remember. They constantly were having issues especially with VPN. I don't ever recommend those anymore after seeing the negative effects first-hand.
Out of 38 clients where I installed a router or UTM, only 5 have UTMs and all are Sophos.
@ccwtech said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.
This is my fear as well. If something that (for a few hundred dollars extra) would prevent this event, it would be well worth it.
I always present new clients with options. I'll make a recommendation about which might be best for their business and processes. I'll lay out the pros and cons of each and together we come to a decision.
Let me tell you that the client that had to recover from their crypto infection asked me to set them up with a UTM. Even after walking them through the fact that this won't guarantee that they won't have this happen again, they still opted for the UTM. Combined with changes to how they manage inbound documents and Sophos' Sandstorm feature, the business owner tells me she sleeps better at night.
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@dashrender said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?
We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?
There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.
No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.
As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.
But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.
No, it didn't come from their email, it was a link to a cloud file share on some random domain.
Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.
It was a malware laden file, and the user neglected to ensure the link was a good valid link. You're assuming it would have been served over SSL. I made no such assumption. Not sure that malware distributors always ensure their files are hosted from SSL protected shares.
Sophos also has a feature called Sandstrom which explodes documents before sending them to the user. A UTM AV may have scanned and blocked the file, it may not. Like I said, we'll never know for sure since the client didn't have the UTM in place.
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
Sandstorm is not on the endpoint. Files are analyzed through a Sophos cloud service via the UTM before being allowed through to the user.
So you are using MitM.
To be clear, Sandstorm will NOT work for HTTPS content unless there's a cert installed on desktop so it can inspect traffic and retain encrypted connection. Much the same as DPI SSL won't work well and gateway AVs are also the same where if no certificate is installed on desktop, you can't maintain an encrypted connection with destination server. But it does work on non SSL traffic.
As web SSL usage continues to increase, this continue to reduce the efficacy of any gateway AV, DPI SSL or services like Sandstorm for SMBs who refuse to setup the desktop cert (me included). That means more and more reliance on desktop AV/AM solutions for scanning.
While those services are, in my eyes, are being affected in their usefulness by the increased SSL usage, they do offer other services that can be beneficial to SMBs.
I see lots of people coming up with reasons why NOT to use a UTM. What I've stated all along is, evaluate the client need and figure out if a UTM is going to work well for them or not.
In my case, only a handful of the 39 clients have UTMs. ALL of those enjoy benefits afforded them by the UTM other than AV/AM scanning.
@black3dynamite said in Cloudflare SSL - Do You Use Or Not?:
@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:
@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?
I use the non strict Full SSL because I have some self-signed certs.
That would be a good use-case scenario. Thanks.
This guide is fortuitous. I had this planned for migration from Ubuntu this week. This makes my job easier. Thanks!
Yeah, I'd love to use a single email relay. I've just been setting up each server with Postfix but that's inefficient. Would love to direct all device emails that can't autosend via Office 365 through this single relay. A how-to would be ideal. I was searching for this very thing here a couple days ago and couldn't find anything.
@black3dynamite said in How to receive e-mail alerts from internal devices:
To have postfix relay to Office 365, you would need to setup postfix to use TLS.
If you are using Fedora make sure you have these packages installed:
sudo dnf -y install postfix cyrus-sasl cyrus-sasl-plain mailxInstalling
cyrus-saslandcyrus-sasl-plainis needed if you want to configure postfix to use TLS.Start at the section where it talks about configuring postfix to use TLS.
https://gordan.jandreoski.me/how-to-configure-postfix-relay-to-office365-on-ubuntu-14-04/
For Postfix to enable TLS, all you need to add to the main config file is this line:
smtp_tls_security_level = may
Email headers confirm that emails are encrypted. I've checked on Gmail as well as my Office 365 email.
@black3dynamite Here is what it looks like at the Gmail end (personal details obfuscated).
@black3dynamite said in Nextcloud 13.0 to 13.0.1 Upgrade Failing:
setenforce 0
Now I feel silly. Thanks That worked. Switched back to setenforce 1 afterwards.
If you need lots of storage, out of this group, the R510 would be the logical choice. 12 x 3.5" HDDs can get you a ton of storage. This is the one I use in a very similar config for my Veeam backups. Sure it's going to be more power hungry than the R710 or R320 but it's not that much worse.
Since the R710 is also likely the LFF version with 6 drives, that's only half the available potential storage for exactly the same performance (from the server components) so again, if the choice is between the R510 or R710, I choose the R510.
The R320 is only 4 Drives for storage but much newer.
Other factors to consider...
If I was picking, I'd go with R510, if these are my only choices.
@scottalanmiller said in Smart Home Systems - Opinions on TP-Link Kasa:
Has anyone looked at or used TP-Link Kasa smart home gear? Wondering how good it is, how the apps work. Works with Alexa, which is a requirement for us. Seems like a good value.
I use them extensively throughout my house with Alexa. I have 10 of the HS200 and 8 of the HS100 and HS105 plugs. They only work on 2.4Ghz wifi. Have had the odd random disconnect but they're pretty easy to reconnect.
Only thing is that if you use Ubiquity AC access points, you'll need to log into the Unify manager to disable 5Ghz band otherwise they're a bitch to connect.
@scottalanmiller said in UniFi Home Lab vs Campus:
@flaxking said in UniFi Home Lab vs Campus:
@scottalanmiller said in UniFi Home Lab vs Campus:
@flaxking said in UniFi Home Lab vs Campus:
Idk, for $10, and a little bit of time, my Meraki AP running OpenWRT was quite the bargain for a home AP
Except you can't get the unit for $10.
The UART adapter was the $10, and I didn't even have to do the free webinar, it was a colleague that did it.
I've done the webinar and they send nothing, it was a scam. They just didn't respond afterward. But it's only the AP that's free. You are getting the AP to act as a router?
I did the webinar AND got the AP. Nice to have a freebie that worked for the free license duration but now it's a paperweight. Even if it had been the same price as the UBNT, I still wouldn't have bought the Meraki AP.
Curious to those of you who used a cloud VM to install it on ... did you also install a SSL cert?
Yes. I set it up on Vultr and SSL for admin page. No proxy though.
