PsychoArs Ars Scholae Palatinae
20y
768
Subscriptor
jhodge said:
If your management network is accessible from the Internet, you're doing it wrong.It needs to be fixed, but this shouldn't be a full-on freakout for most shops.
Yes and no.
If your management network is accessible from your workload network, you're doing it wrong. All it takes is a compromised laptop/desktop/IoT device that's reaching out and lets a bad actor control it. Defense in depth. //
fuzzyfuzzyfungus Ars Legatus Legionis
12y
10,234
PsychoArs said:
Yes and no.If your management network is accessible from your workload network, you're doing it wrong. All it takes is a compromised laptop/desktop/IoT device that's reaching out and lets a bad actor control it. Defense in depth.
You also probably want 'your management network' to be internally divided to the degree possible. Ideally you'd like all your BMCs to work for you; but if one of them turns out not to you can't necessarily trust the remainder to protect themselves(and for newly added devices that aren't supposed to require hands-on provisioning more or less blind trust in the first thing that talks to you is a feature; so you really, really, want that to be you).
Not every wire can be cut, or you might as well just get an empty shed for much, much, less money; but there is often not much call for any two random devices on the management network to talk to one another, rather than a relative handful of monitoring and provisioning systems talking to otherwise solitary BMCs who have no excuse for knowing about one another. //
Little-Zen Ars Praefectus
24y
3,201
Subscriptor
Deny_Deflect_Disavow said:
“The vulnerability, carrying a severity rating of 10 out of a possible 10, resides in the AMI MegaRAC, a widely used firmware package that allows large fleets of servers to be remotely accessed and managed even when power is unavailable or the operating system isn't functioning.”I‘m not sure I understand how firmware can be manipulated if electricity is not available or the OS is not functioning. Secondly, these hosts may be physically wired to any network, yet how can a remote execution or procedure call be issued to the server if powered down?
If there's literally no power, like at all, then they aren't accessible, yes. But that's "no power" as in "the whole building's power is out."
If, however, it's just that the server has been powered off but is still plugged in, and the BMC is connected to a network, you can reach it. These are things like Dell iDRAC, HP iLO, Lenovo IMM, etc. They're designed to be always on, and they provide a way to access the server as though you were physically there, including a virtual console that acts like a connected monitor and keyboard, so you can even remotely power on/off a server if necessary. It doesn't use the installed host operating system - thing of it like a remotely accessible BIOS with a ton of other functionality that also lets you see what's happening on the system in real time. You can even virtually mount ISOs to remotely install an operating system.
It is extremely convenient and I'm sure anyone here who has worked in IT has stories about how iDRAC saved their life at one point or another. I certainly have a few.
However, I can also say - when I was managing servers, all my BMCs were connected to an isolated VLAN, in-building only accessible from another isolated VLAN and to only a very specific set of users with separate logins used solely for interacting with devices on the management network, and remotely over a VPN that only allowed that very specific set of users to access a jump box, which itself was accessible only with the separate management network logins.
You absolutely want to isolate and protect these interfaces specifically because of vulnerabilities like this one.
Clarity, at a glance
TRMNL is an e-ink companion that helps you stay focused.
Stay focused
Meet the world's first dedicated screen for things that matter.
This tool is useful to check if a given Network Time Protocol server is reachable over the internet using IPv4 and IPv6 connectivity.
It is also useful for knowing the resulting offset using the exact time of x1.ncomputers.org stratum 2 NTP public server.
We'll give you a link to monitor your application. You just add an HTTP call to this URL at the end of your script. If the URL is called, everything is fine. If not, you will be notified.
$0 for first 10 monitors
$1 per monitor per month after that
*Each managed job counts as one monitor.
A monitor costs $1.00 per month, or $10.00 per year. If you delete a monitor, we'll immediately stop charging you. You only pay for what you use. Adding extra users to your account won't cost you anything extra. SSL certificates are free to monitor as well.
Like most well-known remote access tools, NetBird is built on WireGuard, making it fast and known for its security. However, unlike many other remote access tools, it has identity management built into its core. Therefore, when you self-host it, the first thing you set up is Zitadel, the default identity provider. But you can use any IDP that uses OpenID, including Keycloak and Authentik. The cloud-based version supports Google Workspace, Azure, Okta, and Auth0, but this feature is only available behind the Teams' subscription tier. //
Be careful here, though, as it seems the ability to approve peers is limited to the cloud-based version, so you could end up with new users that you don't want. That's possibly okay because new users don't have access to anything unless you've set up access control to allow ALL, which is bad security practice anyway. //
NetBird is a powerful, self-hosted access tool with numerous advanced access control policies that do more than enable NAT traversal for encrypted tunnels, making SSH access to remote web servers easy to set up. You could set up one peer on your home network as a routing peer, potentially on your router, and access internal resources on your network securely. It's also simple to set up site-to-site tunnels, without the complicated firewall configurations you'd typically need. //
You can still use the free cloud-based version for up to 5 users and 100 devices, although you'd lose access to Posture Checks (handy for segmentation) and a few other things.
Beszel serves as the perfect middle ground between Uptime Kuma and a Grafana + Prometheus setup for my servers. Although it takes a couple of extra commands to deploy Beszel, the app can pull a lot more system metrics than Uptime Kuma. On top of that, it can generate detailed graphics using CPU usage, memory consumption, network bandwidth, system temps, and other historical data, which is far beyond Uptime Kuma’s capabilities. Meanwhile, Beszel is a lot easier to set up than the Grafana and Prometheus combo, as you don’t have to tinker with tons of configuration files and API tokens just to get the monitoring server up and running. //
Beszel does things differently, as it’s compatible with Linux, macOS, and Windows, with the developer planning a potential FreeBSD release in the future. //
Beszel uses a client + server setup for pulling metrics and monitoring your workstation.
An Open Source ZFS NAS for the community
A community based fork of TrueNAS CORE
Thu 14 Jan 2016 // 07:02 UTC
The Register has learned, thanks to a post to a semi-private mailing list, of a server that has just been decommissioned after running without replacement parts since 1997.
The post, made by a chap named Ross, says he “Just switched off our longest running server.”
Ross says the box was “Built and brought into service in early 1997” and has “been running 24/7 for 18 years and 10 months.”
“In its day, it was a reasonable machine - 200MHz Pentium, 32MB RAM, 4GB SCSI-2 drive,” Ross writes. “And up until recently, it was doing its job fine.” Of late, however the “hard drive finally started throwing errors, it was time to retire it before it gave up the ghost!” The drive's a Seagate, for those of you looking to avoid drives that can't deliver more than 19 years of error-free operations.
The FreeBSD 2.2.1 box “collected user session (connection) data summaries, held copies of invoices, generated warning messages about data and call usage (rates and actual data against limits), let them do realtime account enquiries etc.”
The server lived so long because it was fit for purpose. //
Ross reckons the server lived so long due to “a combination of good quality hardware to start with, conservatively used (not flogging itself to death), a nice environment (temperature around 18C and very stable), nicely conditioned power, no vibration, hardly ever had anyone in the server room.”
"At the time of construction, we included large, 24V case style fans with proper bearings, but running on the 12V rail. These ran slowly and quietly, yet moved plenty of air. The clean conditions probably helped them survive. All the fans were still running at the time it was switched off".
A fan dedicated to keeping the disk drive cool helped things along, as did regular checks of its filters.
WireGuard is an open-source modern VPN (Virtual Private Network) solution that utilizes cryptography protocols to create secure network connections between devices. It's efficient and offers improved reliability than traditional VPN protocols like IPSec. This guide explains how to install WireGuard VPN on a FreeBSD 14.0 and securely configure network tunnels on the server.
But if you happen to have a cloud-based Linux server running anyway, building a WireGuard VPN can be a simple and free way to add some serious, compromise-free security and privacy to your life.
If you plan to limit the VPN to just devices owned by you and a few friends, you'll probably never even notice any extra resource load on your server. Even if you had to fire up and pay for a dedicated AWS EC2 t2.micro reserved instance, the annual costs should still come out significantly cheaper than most commercial VPNs. And, as a bonus, you'll get complete control over your data.
Right now I'm going to show you how all that would work using the open source WireGuard software on an Ubuntu Linux server.
Why WireGuard? Because it's really easy to use, is designed to be particularly attack resistant, and it's so good at what it does that it was recently incorporated into the Linux kernel itself.
The actual work to make this happen really will take only five minutes - or less. Having said that, planning things out, troubleshooting for unexpected problems and, if necessary, launching a new server might add significant time to the project.
Discover and continuously monitor every SSL/TLS certificate in your network for expiration and revocation to avoid PKI-related downtime and risk.
Welcome to the Uptime Kuma wiki!
🐻?
Kuma (クマ/熊) means bear 🐻 in Japanese.
A little bear is watching your website.🐻🐻🐻
https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
Uptime Kuma supports a lot of notifications.
For native support platforms, please read here:
https://github.com/louislam/uptime-kuma/tree/master/server/notification-providers
Uptime Kuma is integrated Apprise which supports up to 78+ notification services. You can read the full list here:
According to a report from The Register today, Beeks Group, a cloud operator headquartered in the United Kingdom, has moved most of its 20,000-plus virtual machines (VMs) off VMware and to OpenNebula, an open source cloud and edge computing platform. Beeks Group sells virtual private servers and bare metal servers to financial service providers. It still has some VMware VMs, but “the majority” of its machines are currently on OpenNebula, The Register reported. //
According to Beeks, OpenNebula has enabled the company to dedicate more of its 3,000 bare metal server fleet to client loads instead of to VM management, as it had to with VMware. With OpenNebula purportedly requiring less management overhead, Beeks is reporting a 200 percent increase in VM efficiency since it now has more VMs on each server.
SIMPLE & INEXPENSIVE WEBSITE MONITORING.
Pricing
You only pay for what you use, check by check. 1 credit = 1 check.
For example, check 10 websites every 2 minutes from 1.83€/month (up to 5.49€/m)
Requests:
200,000 = 5€
500,000 = 10€
SMS alerts costs 7500 credits (≈ 0.10€) per message. ///
30 days of one check every 3 minutes = 1440/month
Intel® Core™ i5-13500
incl. Hyper-Threading Technology
RAM: 64 GB DDR4
optional max. 128 GB DDR4 (for additional charge)
Disk: 2 x 512 GB NVMe SSD (Gen4)
(Software-RAID 1)
Connection: 1 GBit/s-Port
Bandwidth guaranteed: 1 GBit/s
Backup Space: 100 GB
Traffic: Unlimited *
Available Locations
from € 39.00
monthly + € 39.00 once-off setup fee
What is TightVNC?
TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network. With its intuitive interface, you can interact with the remote screen as if you were sitting in front of it. You can open files, launch applications, and perform other actions on the remote desktop almost as if you were physically there.
One of the most common pre-sales questions we get at rsync.net is:
"Why should I pay a per gigabyte rate for storage when these other providers are offering unlimited storage for a low flat rate?"
The short answer is: paying a flat rate for unlimited storage, or transfer, pits you against your provider in an antagonistic relationship. This is not the kind of relationship you want to have with someone providing critical functions.
Now for the long answer...
JCI now offers FreeBSD 11 Cloud Servers that provide significant enhancements over previous versions of FreeBSD. Under FreeBSD 11 you will be running a true virtual cloud server and not the more limited "jail" VPS. This allows complete independent server instances with on-the fly expandability, secure root access and custom backup capability.
Choose the server from our standard FreeBSD server plans below with the memory, disk, IPs, bandwidth and backup required to support your application.
The power of OBS Studio to your browser, offering a headless OBS Studio experience with a web interface for professional quality live streaming.
Free and open source software for video recording and live streaming.
Download and start streaming quickly and easily on Windows, Mac or Linux.