Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Lum
Aug 13, 2003



The Fool posted:

yah

the original rfc was published in 1971

e: looking it up, the extension for passive mode was published in 1994

Yes, so you use the control port to issue commands like cwd, ls, put etc. and in passive mode (which is basically required these days) the server opens a data port and tells the client what it is. This port is completely unauthenticated, so your only defence against data theft is ensuring that the connection to the data port is coming from the same IP as the control channel (even this doesn't protect you against a rogue actor behind the client's NAT, and the growth of CGNAT is going to completely gently caress it)

So by having the proxy round robin, you break that security measure and render it unusable. By proxying from a single IP, Joe would've managed to completely negate the one check you can do to stop an attacker from just trying random data ports and seeing what they can grab.

Fortunately I was able to impress on him the severity of this and he's redone the network to be completely different and my server now sees the source IP.

Adbot
ADBOT LOVES YOU

Lum
Aug 13, 2003



Jeoh posted:

the only *ftp* thing that is acceptable is sftp

Unfortunately we're a Microsoft shop so no-one likes the SFTP server as it's Linux and therefore I'm the only one that can support it.

Lum
Aug 13, 2003



Joe's boss tried to set up a user on the FTPS server out of hours. He couldn't figure out how to do it, but turned off the IP address check on the data channel in attempting to make it work.

I don't even give a gently caress any any more. I've told him in an email that it will risk leaking data until he turns it back on. He can log in and fix it.

E: This is the same guy who lost a ton of data by overriding my failsafe script last week after it tripped to prevent data loss. I need to come up with a fake name for him too.

Lum fucked around with this message at 00:13 on Oct 17, 2020

Lum
Aug 13, 2003



TheParadigm posted:

How bout 'humpty dumpty'?
as in, you know, the cautionary children's tale of 'humpty dumpty logged into a firewall?'

Half tempted to call him Kyle, because he keeps punching holes in things

Lum
Aug 13, 2003



So my next scripting job modifies a config file which if hosed up will cause a P1 incident (like 500 sites will go down) even worse this is being done to automate a regular change request from Sales that's annoying and fiddly to do and takes us Infrastructure peeps away from real work. It also runs things as admin on remote servers, which one depends exactly what Sales asked for

What's the betting that tomorrow I'm going to have the same argument with Joe about complexity and validation, because this one has ended up even longer than previous ones because I need to make drat sure Sales can't enter garbage data, and that failures are handled cleanly to avoid collateral damage.

One of his anti-complexity arguments is maintenance given that most of the team don't know Powershell, but a) we're recruiting b) given the scope for fuckups, does really want someone who doesn't know Powershell maintaining thisand c) If it breaks, just revert back to manual until we can fix it.

Tomorrow will be fun.

Lum
Aug 13, 2003



Sickening posted:

If one configuration file can bring down 500 sites, the issue isn’t if someone knows powershell or not.

It's IIS, and it's a third party CMS. I can't control that

Lum
Aug 13, 2003



Wibla posted:

I work with mass transit systems - if some suit told us to stop using the term "getting hit by a bus", we'd probably make sure he got hit by one (figuratively) at the earliest possible opportunity

I used to work for a large public sector outsourcer (that were recently in the news for storing COVID test data in an XLS file and losing loads of it when it filled), and we would genuinely get in trouble if upper management heard you use the phrase "close enough for government work".

Meanwhile at my place I'm still prohobited from applying Microsoft updates to certain systems because they can't retain enough helpdesk staff to deal with "my computer rebooted" calls. We're coming up to the one year anniversary of them blocking this, and I'm half tempted to comission a birthday cake sent to the head of operations.

The list of unpatchable systems is growing. Joe decided to use Datacore for the new SAN (It's a software SAN that runs on Windows server) but he's banned server core because "not everyone knows powershell", so it's running Desktop Experience and we're having arguments about whether or not I can patch it because "you don't patch a SAN" vs "It's running loving Windows!".

Lum fucked around with this message at 21:52 on Jan 14, 2021

Lum
Aug 13, 2003



KennyTheFish posted:

I am not sure I agree with the ‘you don’t patch a SAN’ contention. I have certainly applied software and firmware updates to every SAN I have ever run.

I don't agree with it either (and indeed did FW updates on the old Dell EMC SAN a few times)

But here it's even more fraught because... it's Windows.

If you don't want to have to deal with monthly patches on your SAN, don't buy a SAN that runs on loving Windows! Conecptually this is just a terrible idea even before Joe threw Desktop Windows into the mix!

Lum
Aug 13, 2003



SlowBloke posted:

We use SanSymphony-V and good god don’t try to run it like a normal server. We run it fat desktop too as at the time datacore didn’t certified core. We usually do a support request with datacore for confirmation before any major patching. Other than some handholding during updates, it has been more data safe than any other storage I’ve ever used, weathering whole stack failures with zero data loss.

I'm just talking about the normal monthly Server 2019 cumulative update. You saying not to do that either?

Given some of the ridiculous vulns out there right now, this makes me super uncomfortable

Lum
Aug 13, 2003



SlowBloke posted:

If the server is in a isolated VLAN without internet access, quick patching is not as important, honestly i don't see much of a point of letting storage go freely into internet, keep those in a segregated network with heavy firewalling. If I remember correctly the biggest offenders for updates issues with SSV are .net and win cumulative. We usually do those quarterly, one node at a time, with datacore support ready to assist in case something goes tits up.

You're assuming that our networks team have done that correctly 🤣 (it's out of my control)

Interestingly, Datacore's site says they recommend applying the monthly windows Security and Quality update "as soon as it is available"

Lum
Aug 13, 2003



SlowBloke posted:

Having experienced split brain and other issues(that on datacore defense only created downtime but no data loss) we do prefer to let updates simmer a bit, both on datacore side and on windows side. Also your post said server, singular. That is no good, it should be at least two servers(in a sync replica team) to avoid going down during updates.

Yeah it's a two service replica pair, should've been clearer about that, sorry.

When I said SAN I meant the entire thing. I've never encountered a SAN with only one array of storage so the thought never crossed my mind that someone would implement that, which is dumb because of course someone has somewhere, and isn't backing it up

Adbot
ADBOT LOVES YOU

Lum
Aug 13, 2003



Not pissing me off.

It turns out our "digital marketing" team used an external website builder/hosting, and that builder was written in... Flash.

The company tweeted saying to use their live chat for website updates.

It's not pissing me off because it's not my problem, not my team's problem and the boss is backing us up on this one.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply