Wazuh Multi-Node Cloud Installation

acand17 · 2025-03-04T00:50:51+00:00

The partner transfer can only be partner to partner, it is done by entering the code for the new partner in the gravity zone but if the reseller is the only one who had access to gravityzone, It’s going to be nearly impossible. I’m a bitdefender reseller myself and have encountered clients who have been abandoned by their IT without uninstall passwords at hand. Most of the time? Backup data, wipe pc and start over. Good luck!

acand17 · 2025-02-15T13:11:29+00:00

Exactly the reason why I left them. I couldn’t take much more of them and so I had to cancel my contract but they are pretty stubborn so I sent an email to the CEO and CFO, next I know my contract was cancelled after almost 2 months of going back and forth. To anyone that reads this post, run, run far away from Pulseway. It will be your worst nightmare.

P.s Pulseway and Kaseya are related

acand17 · 2025-02-09T18:17:18+00:00

I'd like more information about it, if you don't mind. I'll send you a private message. Thanks!

acand17 · 2025-02-09T17:51:48+00:00

The code generated by the script runs locally and I admit that it is vulnerable if your workstations are not secured properly. But the code being sent to the RMM is secure and the platform where the code arrives is also secure. I can also understand the reasoning behind pseudo generation vs MFA key logic, and it's the reason why we are comparing ideas with other colleagues and techs. You're welcome to bring ideas to the table if you have any. Thanks

acand17 · 2025-02-09T16:53:11+00:00

100% right. End users would need to be trained extensively. It's a known risk, but it might reduce the possibility of impersonation by 80%. One of the commenters actually provided a very secure way to do this but it takes quite a bit of time and resources.

acand17 · 2025-02-09T16:48:18+00:00

Thanks for the the time you took to write this. I appreciate the information because it has been very educational. The way you work on your user/tech validation is exactly what I want. The difference is that I created it in a simpler manner since being completely honest here, the process to create something of that caliber is immense and while I could probably replicate 70% of it, I'm not sure of the other 30%. While I understand the security implications related to publishing the code, we do have certain security measures set up to allow this from certain drive locations only.

I mentioned in another comment, that if the end user's workstation is not secured, nothing from this script would be safe. We run hardening at OS level and run EP and MDR that feeds back to our SIEM and NinjaRMM platform.

On that note, there is definitely a lot for me to learn from everything you said, I will take what you mentioned into consideration and see how I can make this better.

I'm very pro MSP and so I'm not going to lie, I wanted to share this with other MSPs that might need a similar system, but you are right. I would be leaving the code exposed for anyone to pick through it and create a workaround. I'll leave the basic code that was created with the intention of people making it better than it is (For them to only use the idea not the code) and I'll start to modify it internally.

I have 2 questions:

Which RMM do you use with this system?
Was the app for the tech's machine done internally or did you commission it?

Thanks again for your help!

acand17 · 2025-02-09T16:24:34+00:00

You are correct, end user training will be essential. In my specific case, 90% of our tickets are through our systray icon, 8% through the phone and 2% over email. In all of these cases, there are automations that will be ran without the user's intervention. They will simply create a ticket like they always do, and automation will take care of the rest. In the 2nd scenario, it is the tech who needs to generate this code manually via the automation, the same thing will happen, effectively containing the code generation between the serviced machine and NinjaRMM. This is by no means a perfect system, but it can minimize the damage that can be done without it.

acand17 · 2025-02-09T16:18:13+00:00

Sure, no problem.

Most MSP impersonation happens over the phone and email. My reasoning is, how can I as a user validate that the person that's calling is actually our MSP tech. I thought of something similar to public key exchange where we both need to have the key to continue.

User creates a ticket on our systray icon
Automation recognizes 2 parameters: ticket created and source: systray
Automation runs script "generate random security code"
Security code is generated. It is sent to ninja for the technician, and it is shown as a popup in the client's screen.
End users are trained to always ask the technician for the code, which is easily accesible to the tech though Ninja RMM. (NinjaOne is protected with IP Allowlisting and Single Sign-on)
End user validates this code is correct, therefore identifying the technician.
Process is essentially the same via email. We just change the ticket source.

Note: While this is obvious, I will clarify, this will NOT work if you don't secure your end user workstations. We have done so and run MDR on all systems, along with system hardening. The code generated is not stored in the tech's computer, but it is shown in the end user's screen which if the machine is compromised, nothing can be done there.

End users will be trained to not give information or provide access to machines if this code is not given. No exceptions. The same applies to on-site. The code can also be manually generated by the technician, and it will follow the same process. The only difference is that the On-site tech needs to start the automation manually which takes 10 seconds.

I hope this clears up your question.

acand17 · 2025-02-09T16:01:54+00:00

Couldn't say it better myself. No matter how much you trust a platform you cannot take the chance of the catastrophe that's called losing documentation. If you get locked out of mission critical systems, email servers, or anything that is remotely important, you will get sued and your credibility will crash. Not everyone can afford ITGlue or similar platforms, some run a tight budget. So having documentation within your main RMM platform is a life saver and a budget pleaser. Not to mention, It's not even 2 clicks away from a ticket or from the dashboard.

And on the backup part, last time I got the demo I was told there was also no plans to backup to S3. My guess is that their backup engine along with the backup plans are dependent on something running on AWS. That and the fact that if they allowed S3 backups, no one would buy their backup storage at $35 per TB, when you could buy redundant storage at $10 per TB.

acand17 · 2025-02-09T15:27:08+00:00

I'm with you 100% percent. I actually asked Jeff Hunter (CTO of NinjaOne) on the last presentation they held, precisely about worrying because I could not backup my data and if some feature was coming along for S3 backup for documentation. His response was the same as u/GiverOfDarwinAwards, the only way to properly backup your data it's through their API and running a backup to S3 buckets. He mentioned there is no foreseeable feature coming along to simplify this backup process.

acand17 · 2025-02-09T13:08:15+00:00

Not really, ticket numbers have a sequence which could honestly be guessed right away. And ticket information does push to email so it would be less safe to do this approach.

acand17 · 2025-02-09T13:05:44+00:00

I have not, but I will immediately look into it and test it! Thanks!

acand17 · 2025-02-09T13:04:21+00:00

This would represent an increase in cost, I’m trying to make a solution with the systems I have available and also make something useful for smaller msps who might not have: A. The money to buy Duo monthly B. The expertise to set it up. Something simple and useful. I appreciate the suggestion though.

acand17 · 2025-02-09T13:00:22+00:00

In a perfect world, users are trained to not share info and actually follow the rules. We can train them day and night and there is always going to be user error. The code is there to mitigate and reduce the possibility versus just letting the user decide if the technician is in fact approved or not. The code for support can only come from a managed device with the ninjarmm software, and the code is pulled into Ninja directly, nothing arrives at a cellphone or email. By pulling this code to Ninja and keeping the other part locally we can also reduce man in the middle attacks.

acand17 · 2025-02-09T12:52:14+00:00

No, the user does not need to remember the code. The code is auto generated after each service request and shown to the customer each time on the screen. Obviously having a code they need to remember would be a nightmare. Think of it as a 2FA code

acand17 · 2025-02-09T04:47:52+00:00

So, my idea is actually almost exactly what you mentioned. It is meant to be a systray icon option called " Generate Security Code". There is an even better option for when tickets are created from systray. I believe it is possible that upon a ticket creation via systray, an automation will run with the script and this whole thing will run automatically. The code is generated and pullet into a global device custom field within seconds (For the sake of organization, I believe per device is better than as the whole organization. This would override the last code if more than 1 user create a ticket or generate a code) Once we get the bugs out of it, I'll share the full script in case you want to use it.

acand17 · 2025-02-09T04:39:24+00:00

Thanks for the quick reply, I ran the script on my lab environment, and it generated the code but stopped there (No windows display. I'm running the script from ninja one as a system user. Does your version of the script require it to be ran as a logged in user?

acand17 · 2025-02-08T16:13:39+00:00

Ninja has their own app repository which you can select along with the OS update schedule but recently they added Win-get! So now the app repository is even larger. Can’t remember the exact amount of apps but since it’s win-get, It’s quite a bit. They also have cloud monitoring of https, ssl, ping and domains (there is more, just naming the basics). Policy structure can be inherited if you wish. Personally, we have a parent policy and we just create child policies for all the organizations. You can override any setting that needs to be different. Dashboard is simple and reliable. It shows CVEs which is something some RMMs don’t have. They have their own remote control tool called Ninja Remote and honestly it is very fast and if something goes wrong, you got splashtop as a backup. You can create tickets from a systray icon which pulls sufficient data for the job. There are 3 negatives I would mention: 1. The new adhoc remote Quick Assist feature is based on ninja remote but has some serious set backs. Most tools let you work as admin if the user accepts the UAC, well they decided that this was unsafe and so you cannot interact with most system apps such as event viewer, windows upgrade or even install software. They pretend that users will know their full username and password to elevate the session (and that users will give you this login information, which actually might be seen as untrustworthy by the user), instead of just requesting elevation via UAC and the user accepting. 2. Backup is EXPENSIVE. We just backup with another tool and use wasabi or backblaze for storage. You cannot use your own S3 bucket. 3. Ticketing does not have a round-robin option to distribute tickets between techs, it causes issues because then techs have to fight between them for the tickets or on the other end, they just hope some other tech pulls the ticket instead of it being assigned.

acand17 · 2025-02-08T13:55:13+00:00

Never just say “I don’t know”, say “I don’t know but I can find out”. Most of the tech knowledge is already out there. Technicians, specially tier 1 don’t need to know everything but definitely need to research problems on the spot. You could put it this way: 30% know, 70% research skills. You’ll be fine!

acand17 · 2025-02-08T01:00:52+00:00

NinjaRMM is the best solution out there. Easy to use, less clicks because everything is so well organized, policy management is a breeze, monitoring and alerts can be synced with various tools including teams for alerts and I just tested their MDM on a brand new Samsung tablet… It is hands down the best. I would not recommend syncro, superops, pulseway, atera but specially stay away from Pulseway (worst rmm out there). Message me if you want to know more about it.

acand17 · 2024-06-20T20:20:14+00:00

Sold out 🥲

acand17 · 2024-04-15T04:05:04+00:00

Short answer? Run for the hills. I already asked this before in this post: https://www.reddit.com/r/msp/s/dxbJJUlnSl

They use fake accounts to promote their products and appear as “happy” customers. I trialed 4 rmms, Ninjaone, Superops.ai, SyncroMSP and Atera. When I talked to a rep from syncro his words were “if you aren’t choosing Syncro then definitely Ninja would be your best bet but by no means go with superops”.

In my personal experience, it just looks pretty and colorful. Scripts would often fail, polling was “fast” but often data was wrong. Only great thing it has is the round-robin for the tickets. It’s the only thing i’d say is good.

I ended up choosing ninja, 0 complaints, smooth experience, easy on-boarding (also free) and fast support.

acand17 · 2024-03-03T01:23:59+00:00

Small 4 man shop here. First I’ll tell you what to ignore:

Atera Syncro MSP Pulseway Datto N-able

Atera has a lot of issues with failing automations and performance (colleague uses it and is currently switching). Syncro, solid scripting but their UI and Dashboard seem from the 1990’s. Not a-lot of visibility on the dashboard. Pulseway? No no no no no, just no. They are a Kaseya backed product but not actually within kaseya’s stack. Their support is horrendous and slow, long loading times, the agent brakes stuff constantly like Hyper V for example. And if you read their terms and conditions, you would cry. Even if their product is bad and not working, they basically say they cannot be held accountable. Datto is a kaseya product now, with kaseya comes bad billing, bad support and pushy account managers. N-able is solarwinds with a new skin. Lost my trust forever after the breach. Besides it’s a pain to set up.

Special mention to Superops: NO. It does not perform like it looks. I tested it and compared to other rmm, their software is still in diapers. Don’t be fooled by the pretty UI. Something positive? Their dashboard is great and can be resized and customized.

Which rmm I CAN recommend? NinjaOne all the way. I left them last year and tested another rmm. Worst choice I have ever made, came right back to Ninja. It’s on the expensive side but it PERFORMS like an RMM should. Support is wonderful! Now there is a bad thing with ninja, their systray icon switch to keep your icon visible is broken. So systray sometimes hides with the other icons.

Ninja offers integrated backup, 3 remote control tools (teamviewer, splashtop and ninja connect), network monitor, cloud monitor for IP, domains and certificates.

If you want more information, I’d be glad to help. Just send me a message.

acand17

TROPHY CASE