@WrCombs said in Frist time Headset ?:

@Dashrender said in Frist time Headset ?:

@WrCombs said in Frist time Headset ?:

@Dashrender said in Frist time Headset ?:

@WrCombs said in Frist time Headset ?:

Mentioned that I was having issues with my headset to one of my coworkers - I guess we have a standard issue headset offered by the company.

https://www.amazon.com/dp/B08WJRMW17/ref=cm_sw_r_api_i_3YW5JM7SC9CNTRGQGTVK_0?th=1

It does seem kinda weird that either a) they supply you with one or b) they reimburse you for providing one of your own.

Though perhaps we don't have all the information.

I'm not following

do they
a) pay for a headset OR
b) reimburse you for one you buy yourself?

Using a headset is basically a requirement for a softphone (and since you're now work from home support - I fully expect you'll spend the better part of your day on the phone - so you'll want a headset for that so really that should be a business expense).

ah, they bought it and it'll be here tomorrow.

It looks pretty decent to me. The Evolve2 40 has a more advanced mic though with more suppression of unwanted noise and the Engage 50 is better and much lighter. But it's hard to beat free

I think you'll be very pleased with it.

@scottalanmiller said in Is there a webcrawler issue with mangolassi.it?:

@Pete-S so odd, I wonder why they aren't indexing it any longer. I am not aware of any changes that would likely have prompted that.

Have a look at this:
https://www.bing.com/webmasters/help/why-is-my-site-not-in-the-index-2141dfab

If I remember correctly duckduckgo uses several other search engines, including bing, to compile it's results.

Since a while back duckduckgo doesn't index mangolassi.it but google does. Bing doesn't index mangolassi.it either.

There must be a problem somewhere.

Google used to be known for not caring about sites setting and index them anyway. I don't know if that is still the case.

Doesn't work (website doesn't show up among search results):

• https://duckduckgo.com/?q=mangolassi.it
• https://www.bing.com/search?q=mangolassi.it

Works:

• https://www.google.com/search?q=mangolassi.it

@scottalanmiller said in What does your desk look like?:

@Pete-S said in What does your desk look like?:

@scottalanmiller said in What does your desk look like?:

@Pete-S said in What does your desk look like?:

@Dashrender said in What does your desk look like?:

Might also consider a ring light.

Actually the white wall that is just behind the laptop is much better than a ring light. Just bounce a light source of it and you'll get a very nice light. Search for "bounce lighting" if you want examples.

Where light source could be.... a ring light!

Could be but ring lights have the wrong characteristics. You'll waste a lot of light output with a ring light. You want more a directional light for this.

More like a cheap desk lamp aimed at the wall.
Or one of those work clamp light that's popular among videographers on a shoe string budget.

Sure, but if you already have the ring light, I guess, lol.

Yeah, it's worth a try then. Any light is better than nothing.

@scottalanmiller said in What does your desk look like?:

@Pete-S said in What does your desk look like?:

@Dashrender said in What does your desk look like?:

Might also consider a ring light.

Actually the white wall that is just behind the laptop is much better than a ring light. Just bounce a light source of it and you'll get a very nice light. Search for "bounce lighting" if you want examples.

Where light source could be.... a ring light!

Could be but ring lights have the wrong characteristics. You'll waste a lot of light output with a ring light. You want more a directional light for this.

More like a cheap desk lamp aimed at the wall.
Or one of those work clamp light that's popular among videographers on a shoe string budget.

@Dashrender said in Weird DNS resolution issue:

@Pete-S said in Weird DNS resolution issue:

@Dashrender said in Weird DNS resolution issue:

Was there something else I should have tried?

When troubleshooting you can make DNS queries to specific DNS servers that doesn't use the clients DHCP originated default DNS servers.

For example:

nslookup mangolassi.it 8.8.8.8

or

nslookup mangolassi.it 8.8.4.4

It would be better than just pinging.

Nice - thanks didn't know that.

Well, I don't do it often enough so I always forget how to do it and then I have to look it up...everytime....

@Dashrender said in Weird DNS resolution issue:

Was there something else I should have tried?

When troubleshooting you can make DNS queries to specific DNS servers that doesn't use the clients DHCP originated default DNS servers.

For example:

nslookup mangolassi.it 8.8.8.8

or

nslookup mangolassi.it 8.8.4.4

It would be better than just pinging.

---

You also have ipconfig as a tool on Windows.
To clear the clients DNS cache

ipconfig /flushdns

to force DHCP renewal

ipconfig /renew

or to check what DNS server it has been given.

ipconfig /all

And look for "DNS Servers"

@Dashrender said in Weird DNS resolution issue:

I fixed the issue by changing the DHCP to hand out 8.8.8.8 and 8.8.4.4, rebooted the clients - problem gone.

I usually let the router act as a DNS forwarder or resolver and cache.

So in this case the computers would all get the IP of the router as DNS from the DHCP. And the router would forward DNS requests to whatever IPs you want.

Not that it makes much difference in your case. But I think it's a cleaner and faster architecture.

@Dashrender said in Weird DNS resolution issue:

I ran into this yesterday.

Client has cable modem to TP Link router, TP Link is DHCP for network.
DHCP provides DNS addresses pointing to Comodo Secure DNS (8.26.56.26 and 8/20.247.20)

Some computers are able to get DNS resolution - others cannot.

All computers can ping 8.8.8.8 - so internet works.
All computers can ping the Comodo DNS servers.

Yet some computers just won't get DNS resolution.

I fixed the issue by changing the DHCP to hand out 8.8.8.8 and 8.8.4.4, rebooted the clients - problem gone.

Anyone heard of an issue like this? where a DNS provider seemingly blocks some requests from a given IP, but not others?
Was there something else I should have tried?

Sounds like it might have been the reboot that actually solved the problem.

All requests from the LAN will originate from the routers WAN IP address so it will be the same IP from the DNS servers point of view. In other words, it's unlikely it's some problem on the DNS servers.

@Dashrender said in What does your desk look like?:

Might also consider a ring light.

Actually the white wall that is just behind the laptop is much better than a ring light. Just bounce a light source of it and you'll get a very nice light. Search for "bounce lighting" if you want examples.

@WrCombs said in Frist time Headset ?:

@Pete-S said in Frist time Headset ?:

What's the environment like where you are sitting?

Working from home so household noise as well as kid being home during shifts etc. so noise cancelling will be nice.

Active Noise Cancellation (for your ears) works best when you have background noise like a busy open office environment or while traveling on an airplane. It will not work well on incidental noise like someone slamming with pots, dropping something or screaming.

So in your case it will probably not help that much unless you're sitting next to the washing machine, a noisy AC or something like that.

What will work is passive noise cancellation, which is just that external sound is blocked by the headphones. That will block all kinds of noise so that what I think you should get if you need to concentrate.

Since you're using it all day but maybe not all the time I would look for a headset that's middle of the road, good mic and ergonomics, passive noise cancelling. And wired since you don't need to move around and not too expensive.

Something like Jabra Evolve2 40.

About $115 on amazon for the stereo version with USB.

BTW, it has noise cancellation on the mic - for the benefit of the person you're talking to.

PS.
Next step up which is much lighter is the professional call center type model Jabra Engage 50. Right now it's only about $135 for the stereo model on amazon. Usually it's way more expensive. I would get this one but both will work.

@Fredtx said in Does block level sync exist?:

@scottalanmiller said in Does block level sync exist?:

Right, which is just a fancy way of saying it uses VSS. Everything does that, that's not considered application aware, because absolutely everything has that level of awareness - the agent that has the awareness is part of the OS. Barracuda isn't aware of any third party applications, including those that run on top of MS SQL.

Yea, I'm aware it uses VSS. I thought that's what you were referring to when talking about application awareness. But looks like you are referring to something else that I have a lack of knowledge or understanding on.

It's not that complicated. Imagine you are running your own desktop in a VM and you want to take a backup. What about the files you are working on and haven't saved yet? They only exist in RAM and not on any disk. So any backup that backups just your files or blocks on the disk will never be complete.

It's the same on a server. You don't know where the data is that you are trying to backup. Only the application developers knows how it works and where the data is.

VSS is a set of Windows components that communicate with applications so that the OS can tell the application when it need to prepare for a snapshot of the data by writing files to disk etc. But that only works IF the developers actually use the VSS components in their application and that is not always the case. But if they do, the backup should be good concerning that particular application. However there are many things running on a typical server.

I'd think about what the primary purpose of the headset is before considering options.

Things to consider:

• What's the environment like where you are sitting?
• Do you need to hear people around you?
• Do you need to be able to move around while on a call?
• Are you going to take calls when you're out and about (not at your desk)?
• How many hours per day are you going to use it?
• Do you going to take it on and off many times per day?
• Are you going to use it for taking helpdesk calls or other things as well?

I'd look for different things depending on how and where you going to use it.

There is a big difference between a super-light monaural "call-center" headset and a "gaming" headset for example. Both will work, but one will be much better than the other in different scenarios.

Just looking at Jabra's site gives you an idea of the different types of headsets you can choose from:

@scottalanmiller said in Does block level sync exist?:

I do backups for financial systems, for example. And we always explain "well, we can quiesce the database and ensure that database is not corrupt, but we can never know if the database has been given quiesced application data because only the developers can tell us that".... and 99% of the time, the devs don't even know themselves and never accounted for needing to make the application safe to back up at all!

I agree. If the application isn't designed for backups in a specific manner then the only safe bet is to shut it down, snapshot the data for backup and power it up again.

The same operations needed to shutdown is a superset of the operations needed to put the database and application data in a safe known state. And most applications are designed to shutdown and startup safely.

It may be clumsy but with VMs the service interruption will usually be short. Maybe 30 seconds or so.

@scottalanmiller said in Production KVM server "hardening"?:

I get that. My point was that you'd get the same security without the private network or the VPN. They only give an illusion of additional security, but cause a lot more effort and more effort often results in work arounds.

Yeah, I agree. Anyway, I don't want to go down the rabbit hole of network design specifics at this time. Might circle back to that later though.

My primary concern right now is if there are any special configuration needed to run pure minimal linux KVM virtualization hosts in production in a responsible manner.

@scottalanmiller said in Production KVM server "hardening"?:

@Pete-S said in Production KVM server "hardening"?:

Thanks! My intention was to put the management network behind a VPN - with MFA for human access.

Doesn't do anything. SSH is already in a VPN. MFA is great, but just add that to SSH. VPN won't add anything to SSH, but it risks the feeling that you can use it for other things and it tends to become the point of risk.

VPN is used to get access to the private network. Servers are not accessible from internet. So there is no way to use ssh without first having access to the private network.

So double encryption was just a by-product.

@IRJ said in Production KVM server "hardening"?:

I would restrict ssh to very specific hosts. If you want to be flexible on your location, you could just allow a bastion host and/or VPN. Both solutions are very low cost as bastion and VPN server uses very little resources. If you want to implement a solution that's even more proactive you could use a service like Okta that has MFA and short term token access to ssh sessions.

As far as host level, use CIS benchmarks as a good base for hardening template. Removing unnecessary packages can also help and limit potential vulnerabilities on the system. Also, the usual stuff like sending logs to SIEM.

Thanks! My intention was to put the management network behind a VPN - with MFA for human access.

I've used CIS benchmarks as a guide before so I'll reacquaint myself with those again. I'll see if they have something specific for KVM.

@EddieJennings said in Pure KVM server "hardening"?:

@Pete-S said in Pure KVM server "hardening"?:

I'm thinking about running pure KVM on debian for virtualization hosts. Not Proxmox. There will be no GUI on the servers, no web interface, only ssh for management.

Do I need to do anything special to lock down the security?

I've never used KVM in production, only on my desktop and then I've had virt-manager as well as tools like virtsh. So I don't really know what is required for a pure KVM server to be as "secure" as proxmox, xcp-ng or whatever.

I'd consider this normal rather than special, but force only key-based authentication for SSH.

Good point, thanks. I try to take it a step further and use ssh certificates when I can.

Regarding access, my idea was to replicate how I've setup up virtualization hosts in the past and that is to have management access (ssh in this case) on it's own vlan (or nic). And then the guest VMs have their own vlans. And a firewall that routes and decides what is allowed.

@JaredBusch said in Pure KVM server "hardening"?:

@Pete-S said in Pure KVM server "hardening"?:

only ssh for management.

If no one has access it is secure. WTF else are you wanting? If you have nothing listening, what is there to "secure"

Well, I don't know but there could be default settings or other things that could be improved.

Compare to mysql_secure_installation script for example. You can install mysql just fine without running it but it improves security by removing some stuff.

I'm thinking about running pure KVM on debian for virtualization hosts. Not Proxmox. There will be no GUI on the servers, no web interface, only ssh for management.

Do I need to do anything special to lock down the security?

I've never used KVM in production, only on my desktop and then I've had virt-manager as well as tools like virtsh. So I don't really know what is required for a pure KVM server to be as "secure" as proxmox, xcp-ng or whatever.