|
IUG posted:I've been tasked with making a report email based on a certain type of ticket we have in our system (querying the postgres database directly). My company is cheap and does open source everything, mostly for being cheap rather than things being open source. So that means when I was tasked this, and wanted it to look nicer than a bash script outputting text, I was told to use Jaspersoft Studio Community Edition. This program looks like hot garbage, and hasn't been updated in years. There's got to be something better, but my DBA who's been working with this program for a while said he couldn't find anything. Please help me to not use this program, someone, I beg you. Everyone loves Excel don't they? https://docs.microsoft.com/en-us/power-query/connectors/postgresql
|
#
?
Mar 29, 2022 15:05
|
|
|
|
| # ? Apr 28, 2024 11:23 |
|
|
Please remember I am the predecessor moron. We are going to roll out 365 2factor out to all staff eventually. However, since I successfully have paired down the people using domain admin accounts to 5 (big fight to even get it there), I don’t know if we need 2FA for people to login to their computer every morning or whatever. I was thinking of using the website Duo to add 2FA to their windows accounts. But reading the docs, it seems like this will only use 2FA on computers the software is installed on. Am I right? Is this actually useful? I guess I can install it on the server so at least those are fine right? But if these admins got their password ganked and someone logged in and remotes into a non server they could basically do whatever right? Rick fucked around with this message at 09:46 on Mar 30, 2022 |
|
#
?
Mar 30, 2022 09:42
|
|
|
You don't need to install MFA software on the endpoint. I think requiring MFA every time a user turns on the computer is a bit much. Require on first sign-on to the device. When they first sign in to win10 they'll take you through the rigamarole. This is assuming you're doing Azure AD. The various software on the endpoint can require MFA periodically. Your dom admins never need to sign in to a workstation as domain admin.
|
|
#
?
Mar 30, 2022 22:41
|
|
|
nvrgrls posted:You don't need to install MFA software on the endpoint. I think requiring MFA every time a user turns on the computer is a bit much. Require on first sign-on to the device. When they first sign in to win10 they'll take you through the rigamarole. This is assuming you're doing Azure AD. I tend to think you are right. We are being asked to institute it by our insurance company but I think maybe I am going to suggest trying it with email first and see how that goes. quote:Your dom admins never need to sign in to a workstation as domain admin.
|
|
#
?
Mar 30, 2022 23:32
|
|
|
Conditional access with device compliance policies and Windows Hello should be enough to handle device login. Ignore this if you aren’t doing a 1:1 device:user deployment.
|
|
#
?
Mar 31, 2022 01:02
|
|
|
Rick posted:I tend to think you are right. We are being asked to institute it by our insurance company but I think maybe I am going to suggest trying it with email first and see how that goes. Are you talking about a question like 3D here?  (This is an example, from Travelers Insurance) Here I think if you require MFA on first login, you can hang your hat on that for endpoint login. Remote admin should of course require MFA every time but I would imagine you're requiring that already once to even get into your remote management console, and then when you sign into the endpoint directly you may have done MFA already for first signon, whatever.
|
|
#
?
Mar 31, 2022 14:41
|
|
|
I'd like to thank everyone for their time talking about monitoring software. I've managed to corral the boss into a limited deploy, and I'm hoping TeraMind drowns him in enough reports he'll forget about it. Thank you to all for both suggestions and feedback.
|
|
#
?
Mar 31, 2022 20:57
|
|
|
G workspace admins: Is there away to make gdrive sync known folders like onedrive out the box? I've looked all over and in switch operators and registry to try and make it do this. Trying not to touch every single computer as its dead simple to implement silently on onedrive through GPO.
|
|
#
?
Apr 1, 2022 19:08
|
|
|
I don't know if this is the correct place for this question but here goes... Back at the beginning of the pandemic we got hit with ransomware. Since then we have been getting everything beefed up with security and backups and everything. We brought in a 3rd party to help with some of it and I am 2nd guessing some stuff with what they had us go with in regards to backups. Currently we are using Veeam for backup to an iOsafe. The 3rd party claims that the iOsafe will keep us safe "because it is Linux based" as far as a repeat Ransomware attack. We are trying to get a 2nd form of backup running. Trying to use Veeam and our old tape library is having issues. We are talking about possibly doing a 2nd offsite iOsafe that is replicated to over a Site-to-Site VPN. Are they really any more secure? I dont buy the whole its linux based therefor safe but there may be more that I am not just getting a real explanation from him. According to Veeam we seem to be doing about 350Gb a night of "Transferred" data on the incremental backups. Any ideas/suggestions?
|
|
#
?
Apr 7, 2022 16:52
|
|
|
I can't speak specifics, but I know with the Log4j vulnerability Linux boxes were just as vulnerable as anything else. So... I wouldn't trust anything as "safe". Everything will have holes needed to be plugged.
|
|
#
?
Apr 7, 2022 17:18
|
|
|
Ransomware generally doesn't care what OS your files are stored on. It's about whatever data can be reached by whatever accounts have been compromised or executed malware. The biggest issue in small business environments tends to be lack of access controls on file shares. A Linux based NAS can be set up just as insecurely as a Windows based file server, and NAS vendors have historically not been the best about security especially when trying to make it easy for their users to access their poo poo remotely. I'm a long time Linux nerd who only runs Windows for gaming, and I'd be wary of anyone claiming Linux was automatically inherently more secure in this context.
|
|
#
?
Apr 7, 2022 17:24
|
|
|
It used to be very common that Veeam backup repositories were stored on a Windows NTFS formatted disk attached to the Veeam server. This was real dumb and bit a lot of people. Veeam released a Linux appliance that was supported by them for backup repositories. This is better than storing your backups on a Windows share, something ransomware is going to hit trivially. Making sure your online backups, either on-prem or in the cloud, don't get hit when your prod data gets hit isn't a trivial problem. Another good approach is having it on immutable storage or backups that can only age out and not be deleted, but you are trusting that the storage provider marking it as immutable is actually secure. The Veeam Linux appliance for backup repositories can do this. A lot of backup and prod storage providers are doing this, I know Pure and Cohesity are. If you can get your stuff up to the cloud, Azure storage allows for this. Your question of 350 Gb a night "Transferred" is impossible to answer without knowing more about your environment. Do you think it's accurate that you have 350 Gb of data change every day? If not, then I'd start looking into that. [edit: To clarify, since the above comments are correct about it not being more secure just because it's on Linux. If the Linux box is off the domain, has a unique root password, uses an off-domain service account that's defined on the Linux server, has read/write access to the share with a unique password that's only used by the backup service, then you're better off than a lot of Veeam installs that have a share on a server that's on the domain and uses a service account that's on the domain. In the later example, if an attacker gets domain admin they can get themselves access to the share.] Internet Explorer fucked around with this message at 17:29 on Apr 7, 2022 |
|
#
?
Apr 7, 2022 17:25
|
|
|
Use Veeam to offload to an S3 storage bucket that supports immutability. We use Wasabi, but Backblaze and Amazon are other options. We pay $160/mo for 8TB. Replicating to a remote site is good, but unless your account and ACLs are locked down properly it wouldn't be hard to jump to that box if an attacker has access to your network. A determined attacker will study your backup processes and make sure those are hosed before enabling encryption. That's why the immutability is important.
|
|
#
?
Apr 7, 2022 18:30
|
|
|
Question about connecting directly to a NAS. A friend works at an educational institute doing videography. They have an older QNAP NAS with dual 10gbe ports and two iMac Pros with 10gbe ports. Can they connect one to each port on the NAS and bypass needing to use a switch? They have an IT department that has tried to set it up but are pretty clueless. The two editors just want to work off the drive but their IT services can't seem to figure it out. I looked at the configuration and they aren't even using the 10GbE ports. One person is in the office with the NAS so she could connect via TB (with a 3 to 2 adapter) and the other, 2 offices away, via a cat 6 run? NAS is the TVS-871T
|
|
#
?
Apr 7, 2022 20:47
|
|
|
That NAS has two Thunderbolt 2 ports so a couple of these https://www.apple.com/uk/shop/product/MMEL2ZM/A/thunderbolt-3-usb-c-to-thunderbolt-2-adapter with Thunderbolt 2 cables and they can link directly to the NAS at Thunderbolt 2 speeds, and keep the network port on the Mac alive for connecting to the rest of the network. The Thunderbolt ports should auto-configure an APIPA IP address and discovery of services should Just Work.
|
|
#
?
Apr 7, 2022 20:57
|
|
|
Thanks Ants posted:That NAS has two Thunderbolt 2 ports so a couple of these https://www.apple.com/uk/shop/product/MMEL2ZM/A/thunderbolt-3-usb-c-to-thunderbolt-2-adapter with Thunderbolt 2 cables and they can link directly to the NAS at Thunderbolt 2 speeds, and keep the network port on the Mac alive for connecting to the rest of the network. I was thinking of that for the one person in the office with it. But the other person two offices over... you can't do long TB runs like that right?
|
|
#
?
Apr 7, 2022 20:59
|
|
|
I had issues in a small shop both replicating to other hypervisors and backing up to veeam. I think that was dumb sales/sales engineers (aka owner) that lead to that fiasco though.
|
|
#
?
Apr 7, 2022 21:10
|
|
|
Thanks for the reply guys. Looking into possibly using Wasabi as that seems like it might be a good fit.
|
|
#
?
Apr 7, 2022 21:28
|
|
|
Thants for this thread. Anyone using GoTo Connect for IP phones? I have a client with issues with it and I assume it's the configuration-limited Spectrum router, but if it's just a bad service overall I might recommend something else. I can turn SIP ALG on or off, that's it (it's off).
|
|
#
?
Apr 12, 2022 00:19
|
|
|
Gorson posted:Thants for this thread.
|
|
#
?
Apr 12, 2022 22:27
|
|
|
SIP is such a dogshit protocol for endpoints that it almost makes it worth looking at MS Teams phones so everything is happening as REST signalling and can’t get messed around with by edge devices trying to be helpful.
|
|
#
?
Apr 12, 2022 23:40
|
|
|
Our DevOps guy left with 1 weeks' notice. My boss asked if I could fill in until they found a replacement "just someone to keep the lights on" was how it was explained to me (all of my previous projects were put on hold or given to the other guy, I'm not doing both roles full-time. I'm doing both part-time). I took her up on the offer because of the promise of free training and I've always been interested in DevOps and I figured I could do it because I'm built different. First day of this new devops thing: - I've been made lead of this big database upgrade where they are jumping 7 major versions. The Test and UAT environments are not the same as prod (or even the same as each other), and we have only a few months to finish the upgrade in all 3 env's - I have spent 4 hours trying to fix some certificate issue on some microservice. pushing what I think are the right changes to various Dockerfiles all lead to different build errors and failures, none of which are related - some loving rando is now asking me to build him a new env in AWS that has apparently "been known about for weeks" - AWS is emailing me saying a bunch of EC2 instances need to get migrated, however when I go to look for them I cannot find them in AWS. - AWS is also emailing me saying that a bunch of EBS platforms need to be updated soon or else they're getting axed. These platform upgrades are going to require code changes and the devs seem very uninterested in doing them. - I have discovered a yikes amount of very obvious security issues that again, the devs seem very uninterested in addressing. I have zero clue what I am doing, how any of this is built, or who I should be talking to. There is no documentation anywhere, and major projects are looming on the horizon. It turns out that I am in fact built different, but it's worse.
|
|
#
?
Apr 12, 2022 23:52
|
|
|
No wonder the DevOps guy left.
|
|
#
?
Apr 13, 2022 01:47
|
|
|
wolrah posted:What kind of issues are you experiencing? I recently helped diagnose an issue with a partner's client who had a whitelabeled version of that service and it was a NAT timeout thing. I've also seen talk recently about Spectrum enabling SIP rate limiting in some areas, though happily I haven't actually seen that myself. The two main issues that have been reported are one side can't hear the other, and 1-2 second delay before audio starts being picked up when a call begins. The issues are intermittent.
|
|
#
?
Apr 13, 2022 01:56
|
|
|
MustardFacial posted:I have zero clue what I am doing, how any of this is built, or who I should be talking to. There is no documentation anywhere, and major projects are looming on the horizon. its a shame this is too long for a thread title
|
|
#
?
Apr 13, 2022 02:21
|
|
|
MustardFacial posted:
Is it too late to reneg on the job? Sounds like a real shitshow!
|
|
#
?
Apr 13, 2022 02:22
|
|
|
devmd01 posted:its a shame this is too long for a thread title For real. I don't think I even flinched reading that. Par for the course.
|
|
#
?
Apr 13, 2022 02:34
|
|
|
CloFan posted:Is it too late to reneg on the job? Sounds like a real shitshow! Thread derail, can I see more pictures of your cats?
|
|
#
?
Apr 13, 2022 09:36
|
|
|
Tell your manager that you can't do it, roll that poo poo up the hill
|
|
#
?
Apr 13, 2022 12:35
|
|
|
Thanks Ants posted:SIP is such a dogshit protocol for endpoints that it almost makes it worth looking at MS Teams phones so everything is happening as REST signalling and can’t get messed around with by edge devices trying to be helpful. The realist part of me knows that's never happening and we're stuck with IPv4 forever because too many dipshits just can't imagine not being able to remember a server's IP address off the top of their head. At least switching over to SIP/TLS on a non-standard port is a viable option these days. Gorson posted:The two main issues that have been reported are one side can't hear the other, and 1-2 second delay before audio starts being picked up when a call begins. The issues are intermittent.
|
|
#
?
Apr 13, 2022 14:22
|
|
|
wibble posted:Thread derail, can I see more pictures of your cats?   Buncha pictures in this thread: https://forums.somethingawful.com/showthread.php?threadid=3851374&userid=68086    
|
|
#
?
Apr 13, 2022 17:26
|
|
|
Thanks Ants posted:Tell your manager that you can't do it, roll that poo poo up the hill I have. The IT director and the CTO are both of the opinion that I am the best man for the job at the moment while they look for a permanent replacement. CloFan posted:Is it too late to reneg on the job? Sounds like a real shitshow! This is the 3rd company I've been at in the past year and a bit. Since the market for IT got hot I've been bailing on places that show red flags before my probation is even up. So far this place has the best benefits, pays the most and outside of this DevOps thing, my boss is the best I've had so I'm reticent to drop this place just yet. Also my wife getting tired of me job hopping constantly and says I have to stay here for at least a year. devmd01 posted:its a shame this is too long for a thread title I think it's a bigger shame that the industry is in a place where my predicament is so commonplace that it could be a thread title.
|
|
#
?
Apr 13, 2022 18:12
|
|
|
I'm mad at my org. We budgeted and got the OK to hire 5 people this year. Then my boss told management he is retiring at the end of the year. Now all those hires are on hold so the next guy can come in and do things his way. We're so short handed.
|
|
#
?
Apr 13, 2022 18:15
|
|
|
CloFan posted:
Thanks, so cute.
|
|
#
?
Apr 13, 2022 20:10
|
|
|
I've been reading /r/overemployed for a few weeks now wondering how people are holding 2 or 3 devops jobs simultaneously when the devops reality I've observed is what MustardFacial said.
|
|
#
?
Apr 14, 2022 13:51
|
|
|
I'm starting a new job!  And only after I accepted the job found out they have legacy citrix stuff!  but it's "in the cloud"
|
|
#
?
Apr 14, 2022 13:53
|
|
|
You mean they're running XenServer on bare-metal EC2 instances
|
|
#
?
Apr 14, 2022 16:45
|
|
|
wolrah posted:The technical idealist part of me wants to defend SIP as being a perfectly reasonable protocol for reasonable networks where devices have real IP addresses, and point out that NAT is the real problem. ALG devices only exist because of NAT, so we should just get rid of the actual problem. Thanks! I'm likely going to have to swap out the router to get it working, they have a Sagemcom from Spectrum and it's severely limited in what can be changed. They're convinced the Spectrum equipment will work and haven't come to grips yet.
|
|
#
?
Apr 14, 2022 16:49
|
|
|
Thanks Ants posted:You mean they're running XenServer on bare-metal EC2 instances stop it
|
|
#
?
Apr 14, 2022 16:59
|
|
|
|
| # ? Apr 28, 2024 11:23 |
|
|
Internet Explorer posted:stop it You can probate him for this right?
|
|
#
?
Apr 14, 2022 17:02
|
|