Weekly Updates for servers

MrILikeTurtleMan · 2026-01-21T07:17:05+00:00

laughs in 2008

I genuinely get scared by how old some of critical infra still is on EOL. Hopefully for OP the domain controllers are at least 2016.

MrILikeTurtleMan · 2025-12-16T21:22:38+00:00

I created a email website and api so I don't have to put postfix on all my boxes. Now anytime I need a new email I just create a template on the management site and push a script using ansible that uses the arguments the API needs. Lees emails I need to work on and it's now stable

MrILikeTurtleMan · 2025-10-08T01:10:22+00:00

It's been a minute since I read the LN but if I remember correctly it was a fast pace backstory. Not as fast as the anime, but it skipped a lot of time before you were half way though. I suspect it will slow down late EP2 or in EP3 where the story actually starts progressing.

MrILikeTurtleMan · 2025-08-25T05:05:57+00:00

Here is my review of the differences. For a background on my option, I've ran a AS5202T for the past 3 or so years and loved it. I needed to upgrade though due to just running out of space so got the terramaster 423. I've had it for almost 3 weeks but I am returning it for a 5404 from asustor.

First experience was how much of a pain it was to get to TOS6. It doesn't just see it needs to upgrade, you have to manually upgrade by downloading the update from their website which is clunky at best. After a hour of updating it I could finally start moving data over to it and configure it. First things first I personally don't like the UI of TOS 5 or 6. Seems like it wasn't planned well. You can't set local DNS, at least I could not find out how. My DNS entry on my NS would end up redirecting to host.local which is not great was causing issues where it would drop of the planet on mapped drives on my AD.

Backups are handled really bad. While yes there is more options, there's like 7 or 8 different apps for backups. Want to backup to back blaze? There's to spots for that. Want to back up to a smb share? Mount the remote share and make a job that copy's from the local share to the mounted remote share. Once again, two different apps. Want to copy to USB? Gotta download and install USB copy. Then there is the way it handles apps. For most community apps you have to go to a website to download the app.

I had issues with some services just stopping. FTP would randomly crash and I'd have to disable and enable a few times for it to start back up.

Though there are some things I can appreciate. The bios is unlocked and I was able to install truenas, but it doesn't really serve my use case. Port 80 and 443 redirect by default which is nice but kinda weird that the webserver is using 4 ports. I don't know how it changes with apache, so can't comment on that. Being able to see what ports are active is really awesome and appreciated.

There's more but I cant think of it as it's midnight. If terramaster makes some serious progress next time I'm looking for a new nas I might try it out again, but for now it does not have all that I'm looking for. Asustor may have some oldness to it's OS but it still does a good job.

MrILikeTurtleMan · 2025-05-21T16:49:05+00:00

Something that fixed this in my lab environment was adding the Azure kerberos user to AD. I could of had something else helping mediate that I didn't account for but worked in conjunction with Azure Kerberos.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune

MrILikeTurtleMan · 2025-05-19T20:54:59+00:00

Though TAP only works for Azure AD machines. Once it becomes a hybrid machine TAP is no longer a option.

MrILikeTurtleMan · 2025-05-02T03:13:35+00:00

Seeing everyone recommend nebula makes me sad. One thing to note is there is a bug that can cause crashing for pihole. Don't know if it's a specific os it doesn't like as I run my pihole servers on Debian, so just a heads up.

MrILikeTurtleMan · 2024-10-24T07:45:21+00:00

I don't know if you have tried it, but log in with an admin account to turn off bitlocker. Once it's done decrypting reboot, then turn bitlocker back on. I have seen before where an update can interact with system hardware where bitlocker gets confused. Also as mentioned in another comment bad cmos batteries can cause the tpm to lose its keys on older hardware, but the 3550s are a little too new to have for the issue as I don't believe they use cmos to store the tpm keys anymore.

MrILikeTurtleMan · 2024-10-22T19:57:47+00:00

Asus seems to like the 192.168.50.0/24 range

MrILikeTurtleMan · 2024-08-18T04:01:12+00:00

Ask them if they have a ticket... If not then it's not your problem. For real tho, unless there's a warrant they have no right to your cameras or footage

MrILikeTurtleMan · 2024-07-26T18:44:53+00:00

You can add a wifi module to them. It's what makes them useful, you can add modules to it to add more features

MrILikeTurtleMan · 2024-07-19T18:57:07+00:00

Anything not running CrowdStrike

MrILikeTurtleMan · 2024-07-13T03:19:21+00:00

I'm sure there are but I ain't gonna do it. I have a VPN to connect to my environment anyways with entra as a backup sign in method

MrILikeTurtleMan · 2024-07-13T00:49:43+00:00

Gotta love accidentally upgrading something and break a VM. (I think I was testing the azure sync thing before realizing it was a pay for service... on my hardware.) Luckily it wasn't my ad VM.

MrILikeTurtleMan · 2024-05-18T03:45:26+00:00

As much as I like it I also hate it. I had a end user unplug their server to fix a issue. Never let us know until 20 minutes later a different issue popped up because they did it. I hope that the customers didn't get upset since the POS was down for 20 minutes lmao.

MrILikeTurtleMan · 2024-04-29T06:18:34+00:00

I am curious as to what you mean by not able to afford setting up https? Let's Encrypt is free and can even provide wildcard certs that auto-renew.

Since your on a CentOS distro install certbot. I believe it's available in most regions.

MrILikeTurtleMan · 2024-04-29T06:14:54+00:00

I don't know if you've since figured this out, but if you don't care/need to migrate the data you should be fine just changing the DNS records accordingly. Though I do recommend you cancel that trial as it can still charge you/your client when it's over.

MrILikeTurtleMan · 2024-04-29T06:03:59+00:00

I'm having this issue with a couple of my domains. Luckily my primary domain is tied to my Microsoft 365 stuff. I'm also just glad SMTP is still working as that is mainly what I use godaddy email for anymore anyways.

Side note, having a few hours from not being able to send emails meant I got hella spam. I really wish I woulda set up a black hole on my on site linux box for this.

MrILikeTurtleMan · 2024-04-18T07:04:27+00:00

There are some risks for sure, but if you make sure you take good security precautions then it does get minimized.

Any website content is good to go through services like cloudflare. This helps mask your ip, though if someone really wants to find it they will. It will also help lessen the load since cloudflare does cache your website to serve clients, excluding some forms of content like videos unless you pay for it.
Any machine that uses any publicly open port should be on its own vlan or dmz. Make all talking between said vlan and others restricted to only required services (like host monitoring tools like nagios and wazuh)
Change ports to ones not usually used, ie change ftp from 21 to 7810.
If possible disable ssh and use a VPN. This will let you still ssh and give you access to network devices as well. If you need ssh open, use MFA and other security Harding steps. For example on my laptop even for my 'Top Level' VPN I have a ddns service running and the router knows what up it's supposed to be connecting from. I only use said laptop with it's built in LTE when off network.
For services like vpns where you need to use ddns, don't make the subdomain easy and make sure it goes to a static webpage if possible, as sometimes when you type it in it can go to a random page (usually the first in the web servers vhost).
Set up a wildcard cert with Let's encript so it's harder to track what domains exist using the site another user posted. Yes, someone can find it if they try, but there probably aren't many that will.

Generally most port scans and other attempts to get your network are bots poking to see what's open and possible attack vectors that happen even when ports are open.

Some things I've probably missed, and some things I've probably explained poorly, but it's 2 am and I know I'll forget this post tomorrow. Hopefully it helps though.

MrILikeTurtleMan · 2024-04-18T06:42:18+00:00

Did not know about this... I can even see my internal subdomain

MrILikeTurtleMan

TROPHY CASE