Sysadmin

This is an automated archive.

The original was posted on /r/sysadmin by /u/jameseatsworld on 2024-01-21 06:36:36+00:00.

Microsoft hit with password spray attack that resulted in multiple internal email accounts being compromised.

Something that should be easily mitigated by MFA and Conditional Access.

I've had execs complain they can't access email via some random 3rd party mail client or that MFA is too annoying, thankfully I can just tell them that Microsoft changed something and we can't disable it.

I guess you can't do that when you work there.

This is an automated archive.

The original was posted on /r/sysadmin by /u/DaRockwilda83 on 2024-01-21 06:18:22+00:00.

I get the error "Unsupported browser" on some clients after installing the application. Does anyone know of this case?

The login to the application is possible without any problems after installation, but as soon as the software opens, the error appears.

• Edge and Chrome are installed in the latest version

• Edge WebView 2 is also installed

• Default browser changed from Edge to Chrome and back again

• Host process in the config file also already manually adjusted to Edge / Chrome

This is an automated archive.

The original was posted on /r/sysadmin by /u/TheDeathPit on 2024-01-21 04:36:13+00:00.

Hello Everyone,

Can someone please tell me how to change the font size in the SSH Browser in MobaXterm:

TIA

This is an automated archive.

The original was posted on /r/sysadmin by /u/bluecopp3r on 2024-01-21 04:10:57+00:00.

Greetings admins. If you have administered the domain for business that for what ever reason had to rename itself, how did you handle that change? Did you keep the original domain or did you have to rebuild it? If you had to rebuild it, what was that like?

This is an automated archive.

The original was posted on /r/sysadmin by /u/alee1449 on 2024-01-21 03:32:16+00:00.

I am currently in a trade program that does IT (or known here in Quebec as "Computing Support") Page here

Should I be getting CompTIA A+? I have seen my classmates getting their A+ already and personally I was considering doing it. Also my teacher was recommending to get it at some point.

I am not new to computers as I have been experiencing with them since I was little, been tinkering around Linux for a long time, and managing my own servers.

This is an automated archive.

The original was posted on /r/sysadmin by /u/kelemvor33 on 2024-01-21 02:51:45+00:00.

Hi,

I have a bunch of old SATA drives that I need to wipe. I will be connecting them to a laptop via an external USB drive dock thing. I want to run something on the laptop to the wipe the external drive. I haven't had to wipe drives in forever so, is DBAN still the standard thing to use for that? Is there something else I can just run from within Windows? I thought DBAN had to run from a flash drive but maybe that's changed?

Anyway, just looking for recommendations. I don't need something that DoD approved or anything like that. Just something to mostly make sure the data is gone.

Thanks!

This is an automated archive.

The original was posted on /r/sysadmin by /u/BoringTone2932 on 2024-01-21 01:31:27+00:00.

I often find myself referencing Layer 2, Layer 3, and then Layer 7 of the OSI model in troubleshooting.

However, rarely do I think “this is a layer 4, or layer 5 problem”.

What examples of problems would you give for layers 4 - 6?

Layer 1: Ethernet cord is broke

Layer 2: Switch is bad

Layer 3: Interface port on the wrong VLAN

Layer 4 - 6?

Layer 7: Bug in the software code.

This is an automated archive.

The original was posted on /r/sysadmin by /u/jeromyhensley on 2024-01-21 01:29:36+00:00.

We’re running 12x MX7000 chassis spread across 3 chassis groups. Our chassis configuration is 1x 9116n switch, 1x 7116 in the lead and backup chassis with the member chassis running 2x 7116.

Our 9116n switches go to our network core and for storage the 9116n connect to our brocade fiber channel switches via breakout cables.

Curious to know how others have their mx7000 environments architected.

Also what monitoring solutions work good for 9116n switches?

This is an automated archive.

The original was posted on /r/sysadmin by /u/Aronacus on 2024-01-21 00:03:17+00:00.

My project closed Friday as a "Failure!"

What was it you ask? Migrate 500 MacBooks from one MDM to another with ZERO USER IMPACT!/ No user interaction, Not even a reboot! Not even a button press. It's all supposed to be "behind the scenes and magical"

Of course it's impossible. Not a single vendor call took place without uneasiness or nervous laughter.

Anyone else tired of pushing the Boulder up the mountain for people who think it's just a grain of sand?

Tell me about it, misery loves company!

This is an automated archive.

The original was posted on /r/sysadmin by /u/unhappy_sysadmin on 2024-01-20 23:59:32+00:00.

Hey all, I've been re-doing the shared folders of a file server that is being used by one of my departments. Previously they were mapped directly to the server (\srv-name\Share) and the XX GB free of XX GB text under the blue bar that shows disk capacity was shown. After I re-mapped the drive to point to my DFS-N Folder (\my.domain.local\DFS_SRV\Share) it does not show the XX GB free of XX GB text under the blue bar, BUT it shows the correct capacity when I hover over the bar.

Here is the image of the "error":

I checked the permissions and they are correct, checked the DFS-N using dfsdiag /testreferral /DFSpath:\\contoso.com\MyNamespace and it all came clean and working as intended. I also checked with my colleague if it is just me or does it happen to him too, and it does.

I flipped the whole Google over to search for some potential solutions, but no luck.

I also have another DFS Namespace set up for another share and the capacity shows correctly in Explorer as shown in the picture above. The configuration is almost identical, except for the share name, on the right one the share name is SOMETHING$ , on the left one the share name is SOMETHING.

If anyone has any ideas or if you already had this issue and resolved it, please let me know!

Thank you in advance!

This is an automated archive.

The original was posted on /r/sysadmin by /u/jdrzejb on 2024-01-20 22:08:16+00:00.

Hey,

I had a meeting with a prospect that is in dire needs of some IT support. They never had proper counsel, just break-fix computer salesman. I was refered to them by my current client, because they wanted to get their invoicing system on owners laptop and their usual guy was not returning the calls.

They are quite small wholesaler, currently with one POS system. It turns out that whole company MSSQL database (around 600mb of transaction logs, inventory data) lies on this one 11 year old Dell Optiplex 9020 (Windows 10). There are no passwords on computer, db and invoicing program. An offsite backup is setup, but it has been erroring out for past 3 years (!), as nobody was doing any monitoring for that. Employees use this computer for personal stuff, like online shopping, email.

The network is in equal shape. There are multiple TP-Links WR841N placed around the shop, with no indication which is the main one with WAN connection. They are just chained (each of these has some device connected - I did not have time for full investigation to untangle this).

I talked with owners, I explained to them that this situation is no bueno and is exposing them to a lot of risk. Especially that they told me that that whole company might be on a brink of existence in case something happens to the data on main machine where they have everything.

They asked me to take care of this, having in mind that they are expanding the company and will be opening a new location later this year, along with new hires. They will need to have this db accessible in both locations (warehouse inventory management). They also asked to be onboarded as my permanent client where I'll be taking care of everything on regular schedule, not only when there is an issue. I am to send them an initial plan and quotes next week. They are aware that there might be some cost involved at the beginning, having to replace/buy some of the devices and pay for my work. They seemed to be more than ok to do this.

I've been building a plan in my head and I have following insights/action points:

1. I do not trust this network, thus I will not open the MSSQL server for the laptop, until I know each other device that could potentially access it. The idea is to bring a proper firewall with dns filtering, dpi/dps, smart queues (pfsense or uxg-lite - I do have controller for some customers already). Also necessary switches and access points to cover the area.
2. I need to decentralize the MSSQL server. It might be hard to squeeze a racked server into current building, thus I was thinking of moving the sql to Azure.

What I worry is that the internet speed might be a blocker: they only have a radio one with around 25/10 speeds. Only the new location, around half a mile away will have a fiber connection (we might use radio to transmit this link between buildings and bring proper speeds, but that's not a solution for today). Is a fully cloud based solution with VDI a good idea, or should I find a place for this on-prem server anyway? On-prem is how I usually do this with this kind of business and this very specific software that needs this type of db. 3. I need to set up a proper backup solution. I usually went with Synology ABB + Backblaze B2 for setups this size, but given the possibility of full cloud setup, is this a good idea? Veeam free (up to 10 endpoints) could also cover some of the requirements here. 4. The Optiplex is too old to be reliable in the long run, so we need to replace it sooner or later, especially that they need a second POS - I can get them matching ones. 5. Because they actually need a proper company email (they've been using free online service, which has TONS of spam) and Microsoft Office, I wanted to get MS365 BP for whole team, as it also includes Intune, Entra and Defender for Endpoint. 6. Last, but not least: document everything I do, let them know whatever I do take care of, will have a proper piece of note attached.

Do you have any other thoughts or suggestions on what I should focus? Does my plan sound ok, anything you'd add? I'll appreciate any input here.

This is an automated archive.

The original was posted on /r/sysadmin by /u/-dumbtube- on 2024-01-20 19:21:41+00:00.

I've been trying to wrap my head around this issue for about a month now. Our quarantine folder gets around 200-500 hits a day from emails sent to/from this domain, since employees in China use the Chinese domain name to email employees in the US.

I've tried allow-listing the domain in O365 Defender and creating mail flow rules in Exchange Online but no dice. I contacted Microsoft about it but they don't offer any useful advice.

Exchange Mail Flow Rules

When the emails are viewed in quarantine they get marked as "DMARC Spoofing" which I don't understand, since our Chinese domain has proper DMARC setup. At least that's what MXToolbox says. It appears that both the primary and secondary MX records are present in the "UCEPROTECTL3" blacklist, but this is likely just due to qq.com.

I've been considering pretending that the domain is a phishing simulation domain like KnowBe4 to bypass Defender like in this article but i'm unsure where to even start, since qq.com is such a massive email provider.

Any help or advice would be much appreciated.

This is an automated archive.

The original was posted on /r/sysadmin by /u/j5kDM3akVnhv on 2024-01-20 19:19:31+00:00.

I've been reading about best security practices for break glass accounts and the suggestion of "2 envelopes" came up.

Must have a complex password, preferably split into two parts, stored in envelopes at two different secure locations in fireproof safes.

This may be a little anachronistic in this post-Covid world?

Our organization gave up our rented office space as no one was using it anymore and our sysadmins are generally spread across a state. We are a 100% WFH organization now.

Is this still a thing? Any recommendations for doing something similar without the "fireproof safe" aspect?

This is an automated archive.

The original was posted on /r/sysadmin by /u/Soft-Hamster2909 on 2024-01-20 19:14:15+00:00.

Looking for a good, lower cost ip phone system. Cloud-based would be preferable. Probably around 50 to 70 soft phones for a new office. Any recommendations? Thank you!

This is an automated archive.

The original was posted on /r/sysadmin by /u/Ragepower529 on 2024-01-20 16:03:34+00:00.

So just wondering how many of us saw insider info or memos and pretended that nothing was seen. I had an event in the past 6 months that could have easily netted me 40% returns or over 1500-4000% depending on what options I would have bought. Although there was a less then 15 minute time frame to react so i couldn’t really do anything without risking serious consequences, not to mention not thinking about the choices fully.

Edit to clarify it was information that was going to go public and when it did the stock price spiked 20%

This is an automated archive.

The original was posted on /r/sysadmin by /u/deucemcsizzles on 2024-01-20 05:19:16+00:00.

So, I'm not necessarily a sysadmin, but I've been around the block in the IT biz.

I was in a team meeting and we were discussing an ongoing issue with an internally developed application and conflicts it was causing with o365. To keep a long story short, it was brought up maybe doing things the old fashioned way they were done prior to said software being a thing might be a good triage item.

I said in the meeting (roughly) "It sounds to me like there needs to be a clearly defined business continuity plan in the event our department has an issue such as this."

My supervisor said shortly after "What was that word you just used? Business what-y what-y?"

I don't expect management to be on my level technically, but for them to not understand business concepts like that when I'm just a tech guy is disconcerting.

Have you folks had to deal with a supervisor or manager who didn't understand the business end better than you did and how did you compensate/manage up/deal with it?

EDIT: Thanks for the feedback everybody. I may need to give my supe the benefit of the doubt instead of assuming he is an idiot going forward after reading the comments lol. Appreciated nonetheless.

This is an automated archive.

The original was posted on /r/sysadmin by /u/AtTheRogersCup2022 on 2024-01-19 17:04:29+00:00.

RIP Father Time.

Some further reading:

This is an automated archive.

The original was posted on /r/sysadmin by /u/ovway39 on 2024-01-18 22:35:59+00:00.

How do you all handle keeping your servers up to date? I just joined an org on a 2 year contract and found they've got 50+ servers running old versions of CentOS and Debian. Many of the systems are running custom code. None of these systems are on the public internet.

How would you handle this? Upgrading them to the latest OS get us nothing tangible in terms of features/performance. We do have firewalls, IDS/IPS and the like. Do we isolate those old systems and leave as is or put money into modernizing them? Or something else? What strategies do you guys use?

EDIT: Most (95%+) systems are running custom in-house built applications. No real concern of a vendor dropping us. The auditor comments are spot on though. Some of these systems will naturaly phase out and EOL on their own due to no longer being a business need.

2nd EDIT: All the systems are VMs

This is an automated archive.

The original was posted on /r/sysadmin by /u/patriotaki on 2024-01-18 19:53:45+00:00.

Hi all,

So I have a dedicated server with IP e.g. 123.456.78 , the hostname of the machine is "malta12345.example.com"

On the server, I also have a domain "mydomain.com", which the A record points to the server. I am trying to send emails via SMTP through this domain.

Hostname: malta12345.example.com

IP: 123.456.78

Domain: mydomain.com

The rDNS record of the servers IP was pointing to "malta12345.example.com" however I was getting blacklisted by matrix.spfbl.net with the reason

"Register a valid rDNS for this IP, which points to the same IP."

I have now changed the rDNS records to point to mydomain.com (I don't know if that is correct) and now I get the following error:

• valid FCrDNS.*

This IP was flagged due to misconfiguration of the e-mail service or the suspicion that there is no MTA at it.

For the delist key can be sent, select the e-mail address responsible for this IP:

non-existent.

Is this correct? If I delist it will the rDNS be correctly set up?

How can I set up this properly so my domain is not blacklisted? (emails are landing in spam folders in yahoo, hotmail and outlook mail servers - probably because of that).

PS: My Spamassasin/Mail-tester score is 9.5/10

This is an automated archive.

The original was posted on /r/sysadmin by /u/TKInstinct on 2024-01-18 19:39:29+00:00.

I've known about this for a few months but I haven't had a lot of time to do research on it. I have a user who is randoly seeing their file explorer instances close during the day. It's an inconvenience for them but it's not killing their workflow for more than a minute or two at a time. Apparently there are more but no one else has reported the issue, the user in question mentioned that someone had mentioned it ot her.

There doesn't seem to be any event viewer logs generating for it, it's not a crash so much as it's just closing. The machines are up to date on Win 10 and receiving monthly patches along with Dell updates. Anyone else heard of this? I'm at a loss on what to do.

This is an automated archive.

The original was posted on /r/sysadmin by /u/thegreatcerebral on 2024-01-18 16:44:47+00:00.

Needing to rebuild data infrastructure for "reasons"...

Current Setup:

• Single Host with storage local
• Housing small amount of VMs (DC, FS, VCenter)
• No redundancy
• Can't really expand
• Backups are D2D that are on a hosted server in the rack

What I am thinking is the more traditional:

• 2 to 3 (probably 2 to start) Hosts
• Shared Dedicated Storage (Example: Dell ME5012)
  • This has two controllers inside of it so there is some redundancy built-in
• Want to have 2x DCs even though it may not be worth it if I were to setup FT in which case a dedicated smaller bare metal DC as redundant would serve better possibly...
• Will still run FS
• Have some new VMs to spin up for various tools required for the "reasons" above.
• I don't want to go VMWare but I'm not familiar enough with the other options to not go with them and the new pricing model which sucks because I'll be a system short for the licensing seeing as you must license like you have the full cores anyway.
• This is a more elastic install as we can grow to another host if needed as well as grow out the storage if needed as well as customize the need (speed vs. density)

My question is first... is this still the better way to go? Technically speaking we don't NEED to make it more robust and the business would love to not look at a higher bill for hardware costs. We do have some NEW needs that have arisen but growth beyond the required things is minimal right now. I would just build a larger build like the existing to house MORE things: RAM, Storage, CPU Cores probably.

Next question is that one of the servers we are needing to implement is a SIEM server. I was looking at OSSIM for the community edition due to cost however I am open to something else if it serves the purpose. The question still stands and that is, am I better served having a dedicated server, most likely bare metal for a SIEM solution? Should I put it in the VM environment? I don't want it to kill the IOPS on ingesting of logs. I am not running one now so I'm not sure what all I will be looking at with full implementation. For servers, you have the number of what we have. With the new situation just say you will be looking at 8 servers overall, We have Meraki hardware: 1 MX, 2 MS, and 1 MR, 30 desktops, and lets put the number at 12 "other" network connected devices. Note: the other VMs from the other requirements, due to our size will be VERY small footprints just to cover some utilities that we need to have and use from time to time.

I don't think the data will be tons but I have no idea. I have only seen scenarios where someone is paying a company to do the SIEM and they usually are paying for the full service but have a local machine for ingest and then push to the cloud. This may still be an option for us however in the interim, I may need to house this box in an effort to offset any other costs.

Lastly, due to the restrictions of things, really the cloud isn't an option right now unless after pricing all of this out it becomes viable. Sorry if I'm being vague... CMMC 2.0/NIST 800-171 stuff and GovCloud type stuff.

This is an automated archive.

The original was posted on /r/sysadmin by /u/B1tN1nja on 2024-01-18 15:46:37+00:00.

We have a hyper-v guest that's Windows Server 2019 Standard that will randomly lose network connectivity until we reboot it.

This happened once a few months ago, then on Tuesday, and again just this morning (Thursday).

Clearly it's a repeating issue and something we need to get to the bottom of.

I was able to get into the server via the host OS and run a ping from the guest to the host but it flailed with

"no resources"

I have not yet re-created the virtual switch yet, but it's just using a dedicated NIC port and NOT sharing that with the host OS

Event logs don't show anything of interest over the past hour in system or application on host OR guest OS

Any advice on where we can look and what might be causing this?

This is an automated archive.

The original was posted on /r/sysadmin by /u/Shujolnyc on 2024-01-19 13:33:43+00:00.

TL;DR: have you used your companies cyber coverage? How did it go?

We’re diving into our cyber coverage and leadership and even my boss are slowly irking into what is surely an ill advised stance - “when” something happens, not “if”, our cyber insurer will step in and take over. It’s their responsibility to lead the recovery efforts, negotiations, and to tell us what to do, etc.; it’s risk transference. We don’t need to spend more on tools and people for prevention.

I am frugal given our industry and I know we can’t do everything perfectly.

Where we end up will be a risk management exercise and I’m happy to even be having these conversations. I will get things in written and I am an avid believer of the Amazon principles of having a backbone and disagree and commit.

My questions for all of you are (which ever you can answer):

Have you engaged a cyber provider ever? If so, how did it go? What resources did they pull in? Did they take ownership? How involved was IT or Cyber? Were their disagreements between leadership and the provider on response? How did that go?

This is an automated archive.

The original was posted on /r/sysadmin by /u/RW2005 on 2024-01-19 13:14:55+00:00.

I was inherited a mess. I have two domain controllers. They're both on Server 2003.I figured it would be easy...just install a temporary 2012 R2 server and migrate to that first.

When I went to promote the 2012 R2 server to a DC I kept getting an error saying "The wizard cannot access the list of domains in the forest. This error is: The target account name is incorrect." Every time I try to promote I get different random errors saying access denied, etc. I'm guessing this is a replication issue.

I log in to the domain controllers and run a DCDIAG.

Testing server: Default-First-Site-Name\DOMAIN1Starting test: Replications[Replications Check,DOMAIN1] A recent replication attempt failed:From ROOT01 to DOMAIN1Naming Context: DC=DomainDnsZones,DC=domain,DC=localThe replication generated an error (8614):The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.The failure occurred at 2024-01-17 08:55:23.The last success occurred at 2023-09-12 04:59:36.3133 failures have occurred since the last success.

This is the error I get from the DC that DOES NOT have the FSMO roles. I then run another DCDIAG on the DC with FSMO roles and this is what I get.

Testing server: Default-First-Site-Name\ROOT01Starting test: Connectivity......................... ROOT01 passed test ConnectivityDoing primary tests

Testing server: Default-First-Site-Name\ROOT01Starting test: Replications[Replications Check,ROOT01] A recent replication attempt failed:From DOMAIN1 to ROOT01Naming Context: DC=DomainDnsZones,DC=domain,DC=localThe replication generated an error (8614):The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.The failure occurred at 2024-01-17 08:58:25.The last success occurred at 2023-09-12 04:53:49.3040 failures have occurred since the last success.

I've been reading online, and what I'm reading is the best thing to do is demote the server that doesn't have the FSMO roles. DOMAIN1 is the DC without the FSMO roles...so would the best thing to do is demote DOMAIN1? Then go ahead and try to promote my 2012 R2 server again.

Thanks in advance.

Edit: And of course I backed up both servers using NT Backup with system state!

This is an automated archive.

The original was posted on /r/sysadmin by /u/SpringOreo on 2024-01-19 13:13:00+00:00.

Going through STIGs I need audit rules on my machines to be an exact way. In my audit.rules file they show as

-a always,exit -F path=/bin/su -F perm=x auid>=1000 -F auid!=4294967295 -k

But when during the check and running auditctl -l the rules show up as

-a always,exit -S all -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -F

I'm having trouble figuring out why the rules I created are different from the ones that are loaded and being listed?