|
Well this has gone wildly off question. Not at all disagreeing with anything you said but quote:This is more of a security problem. You don't have a dedicated server guy and you're running (presumably) unmaintained Windows servers for something that'd cost you $15/yr. I maintain it. It's been fine for three years now with a single instance of someone (him) getting that FBI "You've been watching child porn" ransomware on his laptop and stupidly bringing it in and connecting to the network to try and download something to get rid of it. quote:Email in-house is stupid for the same reason. SPF, DKIM, not being an open relay, and everything else you need to get reliable mail transport sounds like it's beyond the skillset of anyone at your company. Paying someone to deal with all the hassle is virtually free and removes a lot of headache from your very small company. There is zero reason to have email in-house. Thanks for the condescending assumptions but the email server is secure, we've never been blacklisted despite having to email back and forth to half of east asia 200 times a day and some idiots trying to brute force in from china twice a month but yes I actually do enforce strong passwords for email, desktops and RDC. Yeah someone will get in someday but its not the unmanaged shitbox you're making it out to be. quote:If they want access to "their own PCs with Illustrator set up just the way they like" they should get laptops. Or hit the terminal server from inside the company as well and set up illustrator on VDI or whatever. Port forwarding to internal workstations so they can RDP in from wherever and use Illustrator "jsut the way they like" is wrong is many, many ways. Yup. Doesn't matter. Hell it took PCAnywhere being incompatible with windows 7 for them to finally stop using that, remote desktopping is they way they've done it for a decade and its the way they'll do it when I'm gone it's not a fight worth bothering with. Its his decision to do it this way and hes not going to buy 5 $2000 laptops (Illustrator CC is a loving resource destroying monster that wont open 90% of their poo poo on a $600 laptop) and 5 more illustrator yearly licenses. quote:It's also your job (assuming you're the "computer guy" at this shop) to inform him of what his limitations are and what you're not willing to do. When A/B/C happens and your mail server gets on a blacklist so you can't talk to clients at all anymore until you migrate your email infrastructure somewhere else, or whatever web frontent you set up for email has a zero day and you get your email server rooted, or someone brute forces the terrible password the clothing designer's set on their account which has port-forwarded RDP with no real security and steals all your clothing designs from your NAS or whatever... Well I killed the webmail, its not open relay and not a single person has managed to get in since I've been here. When he did host it somewhere else they did have to deal with blacklisting because some other customer got their IP range blacklisted so he had it moved in-house. He had his reasons, it solved the problem, it hasn't happened since as I actually do stay on top of it. My only desire is to free up the drat windows server from having to process 1500 daily emails. quote:It's better to stop problems preemptively than fight fires when they spring up, and they will spring up in your environment. You don't have the in-house expertise to manage email, you probably don't need to host your website in-house, etc. It's not a bad thing, just set boundaries while you can before you're trying to rescue your infrastructure from whatever disaster befalls it. Yup and again doesn't matter, this isn't a 300 person corp its a 11 man (well 2 men 9 woman) that he runs the way he wants to run and again while I agree with you completely it's not going to change anything.
|
# ? Sep 27, 2013 21:11 |
|
|
# ? Jun 13, 2024 07:52 |
|
evol262 posted:There are a few ways to do this. Please read the stuff on xen-pciback. Yeah, this section is what I want I think, since I want to be able to assign dynamically. Couple questions though: How is editing the /etc/modprobe.d folder different from editing a /etc/modprobe.conf file? I seem to have the former. If I edit the modprobe configuration to have the pciback module load the radeon driver first like in that guide, will debian automatically fall back on the nvidia driver or do I have to specify that somewhere else?
|
# ? Sep 27, 2013 21:12 |
|
eXXon posted:If you mean Intel RAID, you should be able to use it across both, although it's probably not going to be worth the headaches if one or the other drops and you don't actually need the performance gain. If you mean an actual controller, they're pretty expensive and again not worth it unless you actually really need it. I actually meant something like mdadm or ZFS. My research today has led me to believe there's nothing like that that works cross platform. I'll just use whatever the raid is on my motherboard.
|
# ? Sep 27, 2013 21:13 |
|
Feral Integral posted:Yeah, this section is what I want I think, since I want to be able to assign dynamically. Couple questions though: The kernel will load whatever drivers it needs for unassigned devices. If pciback has the nVidia card bound, the kernel won't try to assign anything else to it. Toasticle posted:I maintain it. It's been fine for three years now with a single instance of someone (him) getting that FBI "You've been watching child porn" ransomware on his laptop and stupidly bringing it in and connecting to the network to try and download something to get rid of it. At any rate, the concerns with blacklisting have a lot to do with someone blacklisting an entire IP range you happen to be sitting in and other problems out of your control but within the reach of very large email providers. When your email infrastructure is (by your own admission) a POS, you have no downsides and only upsides in moving to externally-hosted email. Toasticle posted:Yup. Doesn't matter. Hell it took PCAnywhere being incompatible with windows 7 for them to finally stop using that, remote desktopping is they way they've done it for a decade and its the way they'll do it when I'm gone it's not a fight worth bothering with. Its his decision to do it this way and hes not going to buy 5 $2000 laptops (Illustrator CC is a loving resource destroying monster that wont open 90% of their poo poo on a $600 laptop) and 5 more illustrator yearly licenses. Toasticle posted:Well I killed the webmail, its not open relay and not a single person has managed to get in since I've been here. When he did host it somewhere else they did have to deal with blacklisting because some other customer got their IP range blacklisted so he had it moved in-house. He had his reasons, it solved the problem, it hasn't happened since as I actually do stay on top of it. My only desire is to free up the drat windows server from having to process 1500 daily emails. Toasticle posted:Yup and again doesn't matter, this isn't a 300 person corp its a 11 man (well 2 men 9 woman) that he runs the way he wants to run and again while I agree with you completely it's not going to change anything. My advice is that you shouldn't run your own email infrastructure. And you definitely shouldn't run your own email infrastructure on an operating system you're unfamiliar with and you haven't touched in years. And you shouldn't always do whatever your boss says, especially when it's not in his problem domain at all -- this is your job and he pays you for it. Including making decisions. But you're doing to whatever, so
|
# ? Sep 27, 2013 21:23 |
Thermopyle posted:I actually meant something like mdadm or ZFS. I had the same question a few years ago and the answer was clearly either no raid or a separate NAS box. Which is why I now have a FreeBSD server in my apartment
|
|
# ? Sep 27, 2013 21:30 |
|
At least for the RDP stuff, get some sort of VPN solution in place so they can just connect to the LAN addresses and you'd only have to manage the one NAT entry for the gateway?
|
# ? Sep 27, 2013 22:18 |
|
evol262 posted:The kernel will load whatever drivers it needs for unassigned devices. If pciback has the nVidia card bound, the kernel won't try to assign anything else to it. OK so I created the file /etc/modprobe.d/xen-pciback.conf : code:
code:
code:
|
# ? Sep 27, 2013 23:10 |
|
Feral Integral posted:OK so I created the file /etc/modprobe.d/xen-pciback.conf : Do you mean detected and taken by dom0? Do you have iommu/vt-d? Does "dmesg | grep -i 'IO Vir'" return anything?
|
# ? Sep 27, 2013 23:17 |
|
evol262 posted:Do you mean detected and taken by dom0? Yeah I should have vt-d. My system is a Intel Core2 Duo CPU E8400 on a Gigabyte EP35-DS3L, that command doesn't return anything.
|
# ? Sep 27, 2013 23:48 |
|
Feral Integral posted:Yeah I should have vt-d. My system is a Intel Core2 Duo CPU E8400 on a Gigabyte EP35-DS3L, that command doesn't return anything. See this. I have no idea how to enable it on your particular motherboard, or even whether it supports it.
|
# ? Sep 27, 2013 23:56 |
|
evol262 posted:See this. I have no idea how to enable it on your particular motherboard, or even whether it supports it. It's already enabled in the bios.
|
# ? Sep 27, 2013 23:59 |
|
Feral Integral posted:It's already enabled in the bios.
|
# ? Sep 28, 2013 00:02 |
|
Misogynist posted:VT-d was introduced in Nehalem. Core microarchitecture doesn't have it. ARK says the E8400 has VT-d. But the P35 does not.
|
# ? Sep 28, 2013 00:06 |
|
Well theres a "Hardware Virtualization" toggle in the bios and I've switched it to on
|
# ? Sep 28, 2013 00:15 |
|
Feral Integral posted:Well theres a "Hardware Virtualization" toggle in the bios and I've switched it to on That's possibly just enabling VT-x?
|
# ? Sep 28, 2013 00:29 |
|
Misogynist posted:VT-d was introduced in Nehalem. Core microarchitecture doesn't have it. You have VT-x. For the core architecture it would be chipset dependent as that's where the memory controller is. To the OP, you need a server board. You won't find this feature on a consumer 775 motherboard.
|
# ? Sep 28, 2013 00:38 |
|
evol262 posted:ARK says the E8400 has VT-d. But the P35 does not. Ahh crap you're right. Guess I gotta upgrade my old rear end system :/ . ty
|
# ? Sep 28, 2013 00:41 |
|
This is probably needless noise but I just wanted to remind people in this discussion with a PSA that the K (unlocked multiplier processors) series lack VT-D.
|
# ? Sep 28, 2013 01:36 |
|
sm00th posted:As far as I remember I only used "-dpms" and "s off". Thanks for the feedback. I had checked before and I'm pretty sure the above did report DPMS disabled if I did an xset -q. But I checked again and sure enough it was enabled. But this helped me get to the bottom of it... XBMC was set to blank the screen at 30 minutes, and so whenever this happened DPMS got re-enabled, and of course quitting XBMC (and loading emulators) didn't reset the settings to how I want them. I just changed XBMC's timer to 120 minutes, so hopefully that'll take care of it. As an aside, anyone know why Xbox 360 gamepad input (using the native xpad driver if it matters) doesn't interrupt the idle timeout like keyboard/mouse input do?
|
# ? Sep 28, 2013 01:51 |
|
fourwood posted:As an aside, anyone know why Xbox 360 gamepad input (using the native xpad driver if it matters) doesn't interrupt the idle timeout like keyboard/mouse input do? Because the xserver is not aware of it as there is no xf86-input driver for it.
|
# ? Sep 28, 2013 08:58 |
|
More correctly, it's because xf86-input-evdev does not update IDLETIME in response to events for devices it does not recognize like joypads. There's been talk about changing that, though.
|
# ? Sep 28, 2013 12:14 |
|
No, sm00th was right the first time. Take a look at the output of xinput some time, your gamepad won't be listed.
|
# ? Sep 29, 2013 02:05 |
|
I went and tried a different distribution and didn't care for it. I told Mint to install to my SSD and somehow it ended up on my 1TB drive that I have partitioned twice, 500gb each. One NTFS Windows and one Ext4 partition. Whats the best way to clone this drive over to the 120gb SSD and have Grub2 installed and recognize Windows for booting? I've been googling and apparently DD is the way to go but I'm getting the vibe this is for two partitions of equal size, not a large to small.
|
# ? Sep 29, 2013 02:18 |
|
Can't go wrong with rsync, chroot in, grub-install. Worst case, you may need to rerun grub-install once its booted native to pick up windows as an entry.
|
# ? Sep 29, 2013 16:07 |
|
crazysim posted:This is probably needless noise but I just wanted to remind people in this discussion with a PSA that the K (unlocked multiplier processors) series lack VT-D. Holy crap thank you for posting this, I was just about to buy the i5-3570K without even checking.. so I won't be able to overclock if I want vt-d? Bummer
|
# ? Sep 29, 2013 20:29 |
|
Feral Integral posted:Holy crap thank you for posting this, I was just about to buy the i5-3570K without even checking.. so I won't be able to overclock if I want vt-d? Bummer Yes but only by manipulating the fsb speed.
|
# ? Sep 29, 2013 23:18 |
|
Feral Integral posted:Holy crap thank you for posting this, I was just about to buy the i5-3570K without even checking.. so I won't be able to overclock if I want vt-d? Bummer Pick a processor then look it up on ARK to make sure it has the features you want. Intel segments the market in really bizarre ways (like no VT-d on K-series CPUs), so it's better to just make sure, or buy a Xeon.
|
# ? Sep 30, 2013 15:40 |
|
I used Clonezilla on an Ubuntu 13.04 partition, then restored that in a Virtualbox VM, that worked fine. However, now I have no window decorations in that VM and I cannot for the life of me get them back. Any suggestions? edit: nevermind. I just wiped all gnome, dbus, compiz settings in my home directory and it fixed it. I'll have to reconfigure a bunch of poo poo, but oh well. Thermopyle fucked around with this message at 18:41 on Sep 30, 2013 |
# ? Sep 30, 2013 17:24 |
|
Somehow I've been put on a team to set up a server for our division. I have no idea what I'm doing. Our first question is to choose the distribution to use. We will be serving: - a small wiki - a dropbox-like file sharing system - server versions of RStudio, iPython, and Octave - maybe a mercurial server if I can get any of my collaborators to use version control for a dozen, maybe two dozen users at most (Ph.D. students in a Psychology department). So... Ubuntu LTS or Debian? I know they're very similar, but are there any reasons to go one way or the other? I guess our requirements are that it should be easy to setup and require very little maintenance, since we have no idea what we're doing and will eventually need to train even less linux-aware students to maintain it.
|
# ? Sep 30, 2013 19:12 |
|
What's a good tool for doing a security audit on old UNIX boxes like HP-UX, AIX, or Solaris? I just know it's a hundred times easier to crack passwords or accounts on some old server that hasn't been patched in 10 years and then hop on to Windows/AD from there. What I'm getting as is trying to make a case for not using the same passwords for users on Windows, the VPN, and the crusty old Unix server.
|
# ? Sep 30, 2013 19:51 |
|
Bob Morales posted:What's a good tool for doing a security audit on old UNIX boxes like HP-UX, AIX, or Solaris? Honestly, johntheripper will probably break those passwords in less than 5 minutes. And if it's an unpatched 10 year old box, there are 99% odds that a Metasploit scan will turn up vulnerabilities. That's not a use case for not using the same passwords, though. The "crusty old UNIX" boxes (especially HP-UX) probably don't even care about or encode any characters past the 8th, so enforcing strong passwords mitigates the risk of actually breakin git.
|
# ? Sep 30, 2013 20:29 |
|
evol262 posted:That's not a use case for not using the same passwords, though. The "crusty old UNIX" boxes (especially HP-UX) probably don't even care about or encode any characters past the 8th, so enforcing strong passwords mitigates the risk of actually breakin git. I forgot all about that. I wish I was joking but our 'password requirements' are 8 characters (no more, no less!), a mix of all capital letters and numbers. I wish I was joking..
|
# ? Sep 30, 2013 20:31 |
|
It's very likely using DES so jtr can do it in no time flat.
|
# ? Sep 30, 2013 21:24 |
|
spankmeister posted:It's very likely using DES so jtr can do it in no time flat. I have a Athlon X2 3200+ cranking through /etc/passwd right now (212 password hashes, 196 different salts, (Traditional DES [128/128 BS SSE2-16]) Looks like pretty much everyone's password is their first name or last name, or their username with a 1 on the end of it. Root pw is a common 8-letter word with a 1 on the end of it, which of course doesn't even matter because it's the 9th character.
|
# ? Oct 1, 2013 15:41 |
|
Bob Morales posted:I have a Athlon X2 3200+ cranking through /etc/passwd right now (212 password hashes, 196 different salts, (Traditional DES [128/128 BS SSE2-16]) Bandwidth and disk are both so cheap these days that anyone with half a brain is going to have full rainbow tables if you're lucky, and they'll be using the GPU if you're unlucky. You should grab rainbow tables (~18GB) and see how long it takes to break.
|
# ? Oct 1, 2013 16:16 |
|
evol262 posted:Red flags are going up. Thanks for this, I know I've got a ways to go with this stuff. I've started setting up cobbler and I'm learning to use puppet. I'm ditching the nfsroot plan for now because I didn't understand the advantages to begin with and everyone else is out of the country so I can probably get away with it. I originally had /var as a tmpfs but my boss was like "what if it runs out of ram?" I have no idea what circumstances would cause /var to grow to 16gb, but I didn't say that. The servers that would have been nfsroot are basically compute nodes running a bunch of VMs in our cloud project. My next upcoming problem is that we're going to be running a lot of stuff we develop ourselves, so I can't exactly tell puppet to grab it from the regular centos repositories. Would the best way to do things be to package our stuff and create a yum repo on one of our servers that they can all get things from? Is all of this overkill for a currently really small company with like four people and 10ish servers? In a year we could have a poo poo ton more, so I like to think this isn't a waste.
|
# ? Oct 1, 2013 16:51 |
|
Illusive gently caress Man posted:Thanks for this, I know I've got a ways to go with this stuff. I've started setting up cobbler and I'm learning to use puppet. I'm ditching the nfsroot plan for now because I didn't understand the advantages to begin with and everyone else is out of the country so I can probably get away with it. Illusive gently caress Man posted:I originally had /var as a tmpfs but my boss was like "what if it runs out of ram?" I have no idea what circumstances would cause /var to grow to 16gb, but I didn't say that. The servers that would have been nfsroot are basically compute nodes running a bunch of VMs in our cloud project. Illusive gently caress Man posted:My next upcoming problem is that we're going to be running a lot of stuff we develop ourselves, so I can't exactly tell puppet to grab it from the regular centos repositories. Would the best way to do things be to package our stuff and create a yum repo on one of our servers that they can all get things from? Is all of this overkill for a currently really small company with like four people and 10ish servers? In a year we could have a poo poo ton more, so I like to think this isn't a waste. Katello. Or a local yum repo. createrepo is pretty easy to use, and you just need a webserver plus an RPM specfile for each package of yours you want. Illusive gently caress Man posted:Is all of this overkill for a currently really small company with like four people and 10ish servers? In a year we could have a poo poo ton more, so I like to think this isn't a waste.
|
# ? Oct 1, 2013 17:39 |
|
evol262 posted:Email in-house is stupid for the same reason. evol262 posted:Is this a joke? "They've always done it this way so I may as well not even try". Do you think they even know VDI is a viable solution? Responses like these create a noise floor that impedes helpful discussion. The guy came here with a real need for info, and you pooped all over him for it. Thanks for that, you've done a real service.
|
# ? Oct 2, 2013 01:58 |
|
My Rhythmic Crotch posted:These kinds of replies are completely loving worthless. I know you're a smart guy, but you're a condescending, holier-than-thou rear end in a top hat. evol262 posted:This is more of a security problem. You don't have a dedicated server guy and you're running (presumably) unmaintained Windows servers for something that'd cost you $15/yr. evol262 posted:It's less about being condescending and more about security being hard. It was completely unclear from your initial post that anyone was enforcing any policies whatsoever, and sounded more like you were the best guy they had with computers so you were sort of handling it because you touched Linux 5 years ago and you know how to replace a hard drive, not that you're their admin. Sometimes the best info you can give is "don't do this, here be dragons".
|
# ? Oct 2, 2013 15:54 |
|
|
# ? Jun 13, 2024 07:52 |
|
evol262 posted:While yes, it was aggressive, it wasn't nearly as aggressive as your selective quoting made it appear.
|
# ? Oct 2, 2013 16:18 |