@Token I know you wrote you looked into it back in '19. Did you get any of those fire suppressant balls?
Just wanted to inform you about those (and powder extinguishers).
The powder in those is highly corrosive, so much so that you can basically throw out anything with metal in it if you use it in an apartment (cutlery, electronics, tools, toys). Now imagine a garage which is basically one room and one of those going off in the rack (even if it is the insulated one), you can write off the car, any tools and everything else as it will rust very quickly.
A CO2 extinguisher is the safest bet for electrical fires in enclosed spaces, only reason to have a powder extinguisher is if the room it is in is not heated and temps can get below any other fire extinguishers minimum operating temperature (it’s why we have powder extinguishers in our open stairwell).
The thing to keep in mind about CO2 and powder extinguishers is to leave the room and closing the door after discharging them, otherwise you could loose consciousness as the CO2 displaced a lot of oxygen in the room and the powder is very bad if breathed in.
Not wanting to butt in or rain on your parade if you did get some of those, but I’m a volunteer firefighter and I hate seeing people use the wrong extinguishers for their use cases.
I believe we talked about the corrosiveness, not sure though. I think it boiled down to cost- I’ll gladly throw the cheap ebay rack mount stuff away (data is backed up) and replace them for what it costs to have a good CO2 or Halon setup, the bigger picture is not letting the house burn down. The cost is just so drastic.
I was flying squad in the Navy so trust me, I’d love a gucci CO2 or Halon system with the right capacity, but they are so pricey. Same for what I’d carry in my truck and car, a compact CO2 or Halon extinguisher- the pricing for those have finally settled in at under $200 each.
Hell… maybe a DIY AFFF isn’t unfeasible and costs less than CO2/Halon. Maybe I’ve gone at it all wrong and can use a welding tank full of Co2 and some DIY magic…
Speaking of backups- my craptastic bubble-gum and band-aid stitched together backup setup of a raspi, external USB drives and rsync has died. When I reboot the pi it does not fix the rsync job like it used to.
I think I’m going to shuck these 5TB external Seagates, put them in my desktop and simply use syncthings to backup critical folders whenever my desktop is booted up.
Hate is a very strong word- we abuse it way too much. That said.
I hate, Hate, HATE how ACLs are done in FreeNAS.
HATE.
I’ve run through this: Group writable option:
And IMO better written here:
added a number of groups, linked them, added them to the ACL of the dataset- just no joy, can’t get Syncthing to get past “permission denied”
My naïve unknowledgeable side has the optimism that even though TrueNAS SCALE is supposed to have the same GUI, things like this will be more intuitive and flow/work. I’m at a loss as to how many groups and users I can make, same names, same UIDs, associating them (right term?) etc and it just won’t play nice.
That “fixed it”- quotes because its not really fixed, the front door was taken off the hinges because the programable lock sucks. I don’t like how unintuitive FreeBSD FreeNAS is. Feels like you choose between “so compliant its useless” and “wide the f*ck open”.
With groups and users GUI so useless to all other than grey beards, it won’t be used. Much like a diet that can’t be maintained… well isn’t effective and isn’t maintained.
I needed a win after such a fail with FreeNAS ACLs so I wanted to build on-top of a Splunk panel that indicates if an outside address machine is directly hitting an RFC1918 machine indicating possible compromise. I wanted to build out on it to indicate port scanning within my network.
Googled, played around and made a panel in my Splunk to detect if a compromised machine on my network is being used to pivot and network scan other machines on my network (kind-of sort-of, the traffic has to pass through my router, so if its L2 via my switches, it won’t be detected…)
Pic example of my desktop scanning two different chromecasts.
I’m no expert, but what I think I did here in non-1337 speak is:
get pertinent log source, ignore some stuff I know is noisy
only care about RFC1918 addresses
Distinct count of port numbers per source IP
where that count is over 100
add time relevance
add some quantification of scan severity (I would do an nmap ‘quick’ scan, then an ‘intense’ scan. The delta in how many ports are hit makes a quick scan = 1, intense scan = 2).
I haven’t verified it yet but I’m 99% certain if I scan a machine from LAN to LAN it won’t get picked up, my L2 switches will pass that traffic around the Router. But for attempts to cross network segments this should work… I think… 60% of the time, everytime.
good thing I had that share drive permissions snafu from a week ago, the bazooka option of blowing the permissions front door off was fresh in my brain. The NFS share I use on FreeNAS (now TrueNAS) got permissions tarded. Logged into Xen (not XCP-ng-center) to get a glance at the logs to then google:
What happened to this guy is what I was working through as well: SR_BACKEND_FAILURE_453(, tapdisk experienced an error [opterr=Permission denied], ) | TrueNAS Community
To get the VMs back up ASAP, I navigated to the NFS path and fired the bazooka, chmod -R 777 ‘unique ID of what was in there’
VMs now boot up and run. There is a website I’m hosting for only another few weeks that was critical to be up. I’d like to play with restricting permissions later when uptime isn’t critical.
Plugins/Jails need manual updating done via shell.
Update the Jail:
Strange observation- IMO the TrueNAS team tried to fix this issue and you have this check box option:
It did not work for Netdata or Syncthing, but it worked for xmrig. For Netdata I then did the command line update then GUI update. I haven’t tried anything with Plex yet. I’ll manually update Syncthing later. xmrig seems to have stopped mining after the TrueNAS update, and even after upating the plugin it is still not mining, so I need to look into that.
So luke warm I guess. Honestly impressed I didn’t have to revert back to FreeNAS, the level of work the team puts in must be monumental. Now the other perspective- when Xen and TrueNAS try to rub shoulders with enterprise, I want to say they fall short with having upgrade issues- but that would make me a liar. I’ve seen my company have to bring VMWare support reps out to help days long upgrades… so… Also spent months on a team all working away to make a Splunk 7 to 8 upgrade mesh. I guess its the mark of true enterprise grade then haha.
Lessons learned. I need to research a way to backup some of my VMs in an effective way. For example maybe the ability to move snapshots to backup storage plus an effective way to import them into different storage (say, the native storage on the hypervisor) if the network storage is down. I don’t think this is possible due to how snapshots work incrementally. Maybe something like exporting the whole VM on a schedule to non-TrueNAS storage, affording me the ability to just build a new VM from the VMDK, OVA (or whatever xen uses).
Maybe still peeved, but I’m not going to do this to fix Plex:
Its simple, nothing crazy, but something in my stubborn region of the brain is in full swing. Plex currently works, I’m going to leave it alone. Hell, why update? Plex just seems to get deeper and deeper into being sold out.
On my burner facebook phone (to list things for sale, they overtook craigslist in my region) I went into the privacy settings for sh*ts and giggles- lots of apps talking with facebook, I was pretty pissed to see Plex as one of them.
I might not mess with syncthing either- I just got it working, and it still seems to work now, I’ll just leave it alone for now.
Another observation, TrueNAS is just snappier- overall faster. I’ve been reading on other people using services I don’t like Timemachine and it got much faster. For me, just using the webUI is much faster now.
I need to do some small vid if just for personal reference on syncthing. Its amazing, its powerful- so for derps like me its hard to remember how I did things in the past, and easy to make mistakes like nesting folders or creating duplicate files- not so much a loop, but duplication.
But yeah, syncthing is AWESOME. I’ve installed the android app, made another dataset/filesystem in TrueNAS, set things up so that certain folders sync from my phone to my TrueNAS only when on a specific wifi SSID, and then those folders backup to another spot as well. This should be a good hold-over until I get off my butt to do a Nextcloud build.
Just did some troubleshooting with pfBlockerNG DNSBL. I could not download attachments from yahoo mail.
Go to pfSense >> Firewall >> pfBlockerNG >> Reports >> Unified.
Try to use the affected site/feature again. Look at the logs that populate, click on the red lock to temp unlock that domain, then try the resource again.
Bought this so that I can join the ranks of those with standing desk yet hardly stand haha
Avahi suddenly stopped routing my Chromecast mDNS. I should do a pfsense restart but I’m feeling derpy today so will likely upgrade to 2.5 and break things… Backed up the config and will ensure I have a bootable 2.4.x image to bounce back to.
pfSense upgrade from 2.4.(forget) to 2.5.1 went pretty well. Reboot took really long, and there were some hiccups that tempted me to reboot again but it settled down on it’s own.
Avahi is doing it’s thing again. All packages updated automatically- neat.
Some panels on my Splunk dashboard are not displaying results after the update. Looks like the log format changed ever so slightly so I will need to re-work the regex field extractions. This makes me sound competent at the task, but I am not. Like looking at a horrendous workout in front of you, this is going to suck, but feel good at the end.
The big inputs to the changelog for logging is not 2.5.1 but 2.5.0.
Changed system logging to use plain text logging and log rotation, the old binary clog format has been deprecated #8350
Updated default log size (512k + rotated copies), default lines to display (500, was 50), and max line limits (200k, up from 2k) #9734
Added log tabs for nginx, userlog, utx/lastlog, and some other previously hidden logs #9714
Relocated Package Logs into a tab under System Logs and standardized display/filtering of package logs #9714
Added GUI options to control log rotation #9711
Added code for packages to set their own log rotation parameters #9712
Removed the redundant nginx-error.log file #7198
Fixed some instances where logs were mixed into the wrong log files/tabs (Captive Portal/DHCP/squid/php/others) #1375
Reorganized/restructured several log tabs #9714
Added a dedicated authentication log #9754
Added an option for RFC 5424 format log messages which have RFC 3339 timestamps #9808
Fixed an issue where a firewall log entry for loopback source/destination occasionally reported 127.0.0.1 as 127.0.01 #10776
Fixed issues with syslogd using an old IP address after an interface IP address change #9660
Added watchfrr to routing log #11207
I still haven’t asked the Snort team about their log’s now omitting interface ID. Meh.
I don’t know if anyone is really “competent” at regex’s, but if you can create an awful blob of garbage that almost does exactly what you want it to do, then I’d say you’re doing pretty good.
However I had some other mods in that file to carry over, so I got to learn how to open nano (yeah yeah, bring on the jokes) in buffer mode to take text from one file and copy over to another.
Now I’m onto an idea. I got caught up in the YouTube rabbit hole- I had never heard of WIDS/WIPS (Wifi intrusion detection/prevention system). I do not want to spin up whole new servers to play with the software mentioned in the vids, but try and make what I have do it.
Got Unifi controller and AP logs with it into Splunk. Quick line break in a props.conf to fix time stamping (will not admit how long it took me to figure this out- extra egg on face I’ve been through this before…)
Tested pulling a phone off and on wifi. Watched logs.
TO DO
SPL to make an event from multiple drop/connect from the same MAC in X period of time.
Test with spinning up some airodump-ng.
Validate.
If good, setup as alert.
Already have Splunk Cloud Gateway and app on phone installed to get alerts when garage door opens/closes (tasmota relay with syslog output to Splunk). Will now hopefully get alerts on phone if someone is actually going to town grabbing creds from a wifi de-auth attack.
Neat.
EDIT- OMG looking at the bottom of that snippet “Added device extraction to DHCP Events”. So juicy, this is awesome. I had been plebing it just looking at ARP when I would dig into something. Never looking into the raw logs to see this was an option.
For the Unifi AP logs, I will need to make some kind of lookup table to get this same feature. Good challenge to make some kind of automatic lookup to keep it updated from pfsense dhcp logs to be used to give device info to Unifi AP events (MAC).
NEAT!
Edit 2
I might want to play with some of the YouTube suggested software just to see how WIPS goes about prevention as the above setup would just be WIDS.
Needs some fine tuning, managed about 2 false positives so far due to machines having random drop-off and reconnection. Should be an easy tweak in the SPL.
Don’t know why this tickles me so much, but it does. No need to install any additional software, just configuration of what I already have I guess.
pfsense update seems to have changed the snort log output as well, need to investigate how to fix the field extractions in Splunk.
My TrueNAS mining side gig finally reached .09 XMR getting a payment. I have at the current market value $37.11 USD in XMR LOL. Probably spent more in electricity doing it.
