SNMP and PRTG

The common mistake is to configure snmpd for v3 and forget to disable snmp v1/v2.

go to /etc/snmp/snmpd.conf and comment line with

“com2sec notConfigUser  default       public”

So full net-snmp installation and configuration should be something like:

  1. yum install -y net-snmp-utils net-snmp net-snmp-libs
  2. service snmpd status
  3. service snmpd stop
  4. net-snmp-create-v3-user -ro -A [password] -a MD5 -X snmpv3encPass -x DES snmpv3user
  5. comment line with “com2sec notConfigUser  default       public”
  6. service snmpd start
  7. configure PRTG or other monitoring tool
  8. chkconfig snmpd on
  9. snmptable -v 3 -u snmpv3user -l auth  -a MD5 -A [password] localhost usmUsertable
  10. snmpwalk -u snmpv3user -A [password] -a MD5 -l authnoPriv
Read the rest

How to create site to site vpn from pfsense to openvpn server.part3

  1. How to create site to site VPN for SMB with low IT budget. part1
  2. How to setup OpenVPN server on debian? part2
  3. How to create site to site vpn from pfsense to openvpn server.part3

OK, we already have Openvpn server at central office. Now our task is to configure branch office pfsenses (why pfsense) to connect central office Openvpn server:

  1. create Hyperv VM for pfsense at branch office 01:
    • mount pfsense iso to the pfsense VM
    • create fixed size virtual disk, 5gb is enough. if you use dynamic disk – pfsense freebsd installer can fail
    • before pfsense installation
Read the rest

How to setup OpenVPN server on debian? part2

We continue previous post about creation of site to site vpn between multiple branch offices and central office of company.

  1. Install latest Debian Linux (better from network installer). During the installation choose:
    • ssh server
    • std system utilities
  2. Configure IP address for the server. For example nano /etc/network/interfaces:
iface eth0 inet static
address 192.168.0.2 # it is considered that 192.168.0.1 is used as dgw in central 
Read the rest

How to create site to site VPN for SMB with low IT budget. part1

It’s commonplace to connect multiple company branches and central office by VPN. For my customers for example it’s needed to :

  1. implement Active Directory (for small companies with single IT team – only one AD domain and multiple AD sites, everywhere if possible one AD DC)
  2. integrate into one DB all Time Attendance machines – one Zkteco application for accountant at central office connects thru vpn
Read the rest

If you need temporary VPS hosting (for testing, for development and so on)

Sometimes temporary, moreover free VPS hosing for 1 year is great and generous opportunity. Usually it’s very handy for testing (for example to install linux, configure lamp, wordpress, 2fa, freeSSL, plugins and so on ), web development, personal blogs, short-term projects like election events and so on.

Amazon Web service suggests it for whole 1 year. Just be VERY careful to not trespass limits of free tier (for example AWS automatically has done EBS snapshots during import of my vmware ova to AWS AMI and later on to free tier instance — although 09 cents were generously forgiven by AWS … Read the rest

Free ComodoSSL, free “Let’s encrypt” certificates

Strange that the main national domain registrar (http://manage.datacom.mn) yet don’t use SSL for own management console. Mobinet, national cloud provider even don’t have DNS registration for own services asking to create hosts file records for vps-mgnt.mobinet.mn. Mobinet who resells Comodo SSL doesn’t have valid SSL for https://vps-mgnt.mobinet.mn/ (and looks like self-signed SSL is created to conflict with vmware cert namespace).

SSL providers suggest DNS (email) validation for certificate CSR, so vulnerable web DNS manager (not protected by SSL) can compromise issued SSL certs and finally web sites with online banking, payment systems and so on. I suggest for

Read the rest

Free VEB/Veeam Endpoint Backup solution to backup physical servers

Not everybody knows that recently Veeam starts to support backup of physical servers, workstations directly to the same Veeam Repository in already existing VBR/Veeam Backup and Replication  infrastructure.

If you already have ready VBR than it’s logical to backup not to mobile USB hard drive (default target of VEB) and so on, but to VBR repo. To restore i recommend to use WDS – because boot.wim in generated recovery disk easily can be imported into WDS (and all necessary NIC and storage drivers added in std way thru WDS). WDS can be on other server – just during restore process … Read the rest

If you are prudent sysadmin and keep enabled UAC

It’s recommended never to disable UAC/User Access Control  (there are many instructions to disable it for piracy programs downloaded from the internet, and unfortunately in Mongolia almost all computers even in enterprises have disabled UAC in windows)

The main reason to have enabled UAC is ability for the sysadmin to run installation and system configuration commands without re-login during remote or interactive sessions on asked help workstation. According to the best industrial practices you need to exclude any end user from workstation Local Administrators (depriving rights to install non-authorized programs and change/damage system configurations). If you disabled UAC then there … Read the rest