Sysadmin

A buffer overflow vulnerability was found within SSL-VPN in FortiOS leading to unauthorized code execution. Options are either to disable SSL-VPN or upgrade to a patched version.

cross-posted from: https://sh.itjust.works/post/87144

Received this QNAP security bulletin this morning. Update your QNAP products!

June 14, 2023 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Vulnerabilities in Samba

Release date: June 14, 2023 Security ID: QSA-23-05 Severity: Medium CVE identifier: CVE-2022-37966 | CVE-2022-37967 | CVE-2022-38023 | CVE-2022-45141 Affected products: Certain QNAP Devices

Summary

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system. The following QNAP operating systems are affected:

• QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) QES is not affected.

Only QNAP devices that run the affected operating systems and also act as a domain controller or AD member are affected.

Standalone QNAP devices are not affected by the vulnerabilities.

QNAP is currently fixing the vulnerabilities in QTS, QuTS hero, QuTScloud and QVP (QVR Pro appliances).

Please check this security advisory regularly for updates and promptly update your QNAP operating system to the latest version as soon as it is available.

Recommendation

Because RC4 encryption poses a high security risk, we strongly recommend replacing RC4 with the more secure AES algorithm when using a QNAP device as a domain controller or AD member.

• When the QNAP device acts as a domain controller, we strongly recommend enforcing AES encryption. • When the QNAP device acts as an AD member, the encryption method should follow that of the domain controller. We also strongly recommend that the domain controller is configured to enforce AES encryption. Before security updates are available, depending on the AD domain role of your QNAP device, we recommend enforcing AES encryption only or at least allowing both AES and RC4 encryption to mitigate the risks posed by the vulnerabilities.

cross-posted from: https://lemmy.cloudhub.social/post/14149

What's everyone using for status monitoring and/or status pages either in their lab or at work?

I setup a status page for my fediverse instances using Uptime Robot (have an existing subscription), and the features are kinda lacking. I feel like they haven't really updated anything in the last 5 years which is unfortunate.

Just a reminder that Windows 10 21H2 home and pro editions are EoL today. Make sure you get updated to 22H2.

22H2 will be the final release of Windows 10, with an EoL of Oct. 14, 2025.

Enterprise 21H2 still has one year of support which will end June 11, 2024.

cross-posted from: https://reddthat.com/post/19103

So you want to know how we host lemmy?

I bought a server for 12 months, cloned this repository, edited the smtp details, modified the host vars, and ran the deploy!

The lemmy stack uses nginx, docker, and certbot. Inside docker it runs, lemmy, lemmy-ui, pictrs, postgresql, and postfix.

For our CDN we are using the "dreaded" cloudflare for caching. Here's a pretty picture of our analytics for the past 7 days (the whole life time of reddthat.com):
Incase you hate me for using cloudflare, don't worry I don't like using it either, but it's free for the time being. We are planning to move to BunnyCDN once we become funded. We've enabled Strict SSL to ensure all communications are secure. We also allow Tor users to access the site, and have our cloudflare "security" setting to minimal.

We are using UptimeRobot for our status page; status.reddthat.com.

Emails are hosted via my Mailcow instance.

The git repo linked here has been forked to a git repo and I'll be looking at making some changes in the coming days. Mainly to add the nginx configuration to be part of the code as well. It will then be completely under code, not just partly under code as it is now.
This is a gitea instance utilising gitea_runners, so once I get that done, I'll be creating gitea actions for:

• Adding renovate to automatically check for new versions of the docker files and notify of passing tests
• Once the PR is merged, automatically deploy it.

& that's about it.

Tiff

Hello,

I'm in the early planning / testing phase of preparing to migrate our staff from on-prem DC's & Exchange 2013 to MS365 and Exchange Online.

Looking to have a hybrid AD solution in the end so authentication can occur on premise using our DC's, and when off-net they can use AzureAD. I believe the AzureAD Sync Tool will assist with 2-way synchronization so account records are kept up to date.

We have around 100 staff, that will be migrated, and we'll be setting up a domain alias because our on-prem domain was a ".local" domain.

Has anyone gone through this sort of process before, if so what was your experience like?

Were there any gotcha's or major issues that you came across?

After completing your migration, was there something you wish you knew at the beginning that would have saved you time?

Thanks in advance for any feedback.

Just a heads up and a list of patches. Have a look and keep patching people :) <in your test environment 1st of course.>

It's happening! AWS issues in us-east-1 feel like a snow day almost

Just started for me. entra.microsoft.com (specifically user list atm) is loading slowly or not at all.

Anyone else or just me?

So I've got a weird situation. We have one iOS (iphone 13 with 16.5) device only that is having issues completing the enrollment process.

download and sign into company portal

sign into the company portal

installed the management profile (confirmed)

device reports as not registered by company portal

the device not being registered is causing CA policies to fail for the device so the user can't setup their apps like outlook or teams.

I've also confirmed there isn't another management profile installed for another mdm.

I've walked the user through the enrollment process a few times, with and without the authenticator app installed and setup. the device doesn't show as registered in the authenticator app either. trying to register the device in authenticator just gives an generic error saying something went wrong.

I did come across something online about supervised devices in this state when the device id in azure ad is all zeros (https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-ios#configure-the-company-portal-app-to-support-ios-and-ipados-devices-enrolled-with-automated-device-enrollment) however in this case the device id is populated.

I've re-enrolled one of my devices to walk through the setup process to make sure it's not something with the CA policies or something else. as far as I can tell this person is setup just like everyone else that is using mdm.

Hopefully someone has an idea, because i'm out of ideas on this.

Let's get this community popping with some useful information. Reddit's sysadmin subreddit seemed like a place of complainers, I look forward to having actual productive conversation in this community.

Duo uses push notifications, time-based, one-time passwords, physical tokens and biometrics to verify the identity of users at login. Similarly, Microsoft Authenticator uses push notifications, one-time passcodes, and biometrics for authentication and can integrate with Microsoft 365 and Azure Active Directory. While both 2FA options share some similarities, there are still key differences that can sway your decision to choose one over the other.

System administrators and IT operations pros might want to rethink their careers, because analyst firm IDC is predicting substantial drops in the number of people employed in such roles.

The firm this week published its first "Worldwide xOps Census and Forecast" – a study that predicts "a substantial shift in the responsibilities of IT professionals will occur over the next five years."

"IT professionals in the most purely operational roles are facing a transition to a more technical or focused role that very often may involve some level of software development work," the firm asserts.

Debian 12 remains on track for releasing next week even with around 100 known RC bugs that likely won't be resolved pre-release. The Debian release team says overall things are on-track.

No, we will not be going dark. The reasons are simple:

1. This form of protest has proven ineffective on reddit repeatedly.

2. Shutting down the sub on a Monday will have an adverse impact on our readers, including possible production issues.

3. We have avoided reddit "politics" intentionally and will continue to do so.

You are more than welcome to avoid participating on that day which will make the message far clearer to reddit through their metrics than shutting down the sub to folks in need who would be here anyways.

It's disappointing to see the r/sysadmin mods take this stance, but I guess in a way it's a good thing that they've shown their true colors.

Here's hoping that c/sysadmin thrives and replaces it in the near future as the go-to place for all sysadmin stuff.

While Microsoft has indicated these outages are a mess of its own making, hacktivist group Anonymous Sudan has claimed responsibility for the downtime, and said it did the deed as retaliation for the US government interfering with the internal affairs of the civil war-ravaged African nation.

The potentially-pro-Russian crew stated its claim on its Telegram channel, with messages coinciding with the timing of the first outage. Afterward, the group reportedly said it would again attack Microsoft's services because the company said the problem was technical rather than a cyberattack.

Beginning with Jenkins 2.407, May 30, 2023, Jenkins administrators running a Jenkins weekly release will be warned if they are running Jenkins on an operating system that is within 6 months of its end of life date. The same warning will be visible to Jenkins administrators running a Jenkins long term support (LTS) release with the next LTS baseline after Jenkins 2.401.x, beginning August 23, 2023.

Microsoft kicked off its Build developer conference yesterday, where it unveiled several new features for enterprise customers. The company also announced a preview of Windows 365 Boot, which lets users log directly into their Cloud PCs at startup instead of the local install of Windows 11.

Windows 365 Boot is designed for Windows devices that are shared between multiple people (such as frontline workers and temporary employees). The feature eliminates the need for IT admins to configure Windows PCs for individual users.

“When you power on your device, Windows 365 Boot will take you to your Windows 11 login experience. After login, you will be directly connected to your Windows 365 Cloud PC with no additional steps. This is a great solution for shared devices, where logging in with a unique user identity can take you to your own personal and secure Cloud PC,” Microsoft explained.

Just a recommendation to the mod(s) here, you may want to set the display name for the community to simply "Sysadmin".

While it's a funny true-ism, when searching Lemmy communities for "sysadmin" it's easy to miss "It's always dns" in the results. Make the sidebar just read "It's always dns" instead.

A backup tool.

Any opinions on an IM solution to send notifications to?

Something which can show push notifications on my phone would be ideal.

This is for my personal stuff which isn't critical or public. I would like E2EE if for no other reason then why not.

Top options:

• Matrix
• XMPP

Middle:

• Jami (No API?)
• Zulip (no EE2E)
• Google Chat (no EE2E?, dealing with Google APIs)

No:

• Briar (no iOS client)
• Signal (no API)
• Session (no API)
• Whatsapp (API cost)
• Threema (cost)
• Wire (bot API in beta, cost?)
• Telegram (sus)
• Slack