Peak security
-
Does it actually happen to people? All servers I worked with both had a back door (or two), and someone at the data centre (during work hours at least) you could contact in an emergency.
wrote on last edited by [email protected]iptables default DENY and flush the rules. Done by at least two people I know (then me) at the same company. Led to them moving the servers in-house and virtualizing some services to connect to the hypervisor. It does happen though.
-
deaths
deaths nuths
-
^This^ ^is^ ^a^ ^joke,^ ^I^ ^didn't^ ^really^ ^lock^ ^myself^ ^out^
Before you make a change, do this in a screen-session:
sleep 300 && iptables-restore old_fw_rules.bak
-
It's easy to write, easy to build, produces lightweight and fast executables, and the type system is great. Why not rust?
Rust does not have an ABI. Everything is linked into the executables. I would not call them lightweight.
-
I'd rather plug in a screen with VGA than deal with HPE iLO 4
Sounds like an issue draling with .NET or JRC console.
Are you on the nosz up to date firmware? -
Would misusing the
ddcommand be considered a hardware failure?Yes. Everything is a hardware failure because where does the software run? That's right, on hardware. So software bug = hardware failure.
-
^This^ ^is^ ^a^ ^joke,^ ^I^ ^didn't^ ^really^ ^lock^ ^myself^ ^out^
This is the NetAdmin's problem. And he's got 3 ways to get into the datacenter, so he goddamn well better have an answer that doesn't involve airfare. Worst case, he's gotta use remote hands, but that would be embarrassing, and I'd not let him forget it. Nobody forgives me when I screw up a server cluster, so he gets no latitude when he takes a datacenter offline.
-
Since that happens to the best of us, I envision writing a wrapper script around {n,}pfctl that asks for confirmation upon detecting that you're logged in via ssh through a specific port AND detecting that the new rules would block that port.
VMware does this with its virtual networking. If a change takes it offline, it automatically rolls it back. It can be frustrating at times, but mostly its saved my ass.
-
I'd rather plug in a screen with VGA than deal with HPE iLO 4
I keep a Windows 2008 w Java 6 VM on ice for administering old Java console shit like that.
The VM is unsafe as hell. Completely virgin unpatched. The only protection is that I don't give it a gateway or dns, and I shut it down when its not in use.
And it works. Old Java shit can still be used. -
They should have a remote console like Dell RAC or HP iLO
I hate it when my boss says that. Or he will call it "D-RAC". Annoys the hell out of me.
It's iDRAC.
Yes, there are components that are called RAC, but the Dell out of band management system is called iDRAC.
... but that's not as dumb as when he calls the SuperMicro system "iLO". That's IPMI. We don't even own any HPE. I've no idea why he's stuck on iLO. -
Rust does not have an ABI. Everything is linked into the executables. I would not call them lightweight.
Oh, so it's inconvenient for GPL-circumventers, too? That just sounds better and better.
-
Sounds like an issue draling with .NET or JRC console.
Are you on the nosz up to date firmware?I remember there being the option of using HTML or a Java applet, I chose the former
-
I'd rather plug in a screen with VGA than deal with HPE iLO 4
wrote on last edited by [email protected]Networking noob here; what, pray tell, is HPE iLO4... or do I want to even know?
Edit: Never mind. Found it. HP... shudders
-
Rust does not have an ABI. Everything is linked into the executables. I would not call them lightweight.
wrote on last edited by [email protected]A standard Docker container with a NodeJS/PHP/Python app is usually around 200-300 MB (yes really), the OpenJDK JVM is around a hundred MB, but a fully statically compiled rust binary that doesn't even depend on libc is just a couple MB and can be deployed as a tiny distroless Docker container.
It's a lot heavier than your 8kb C++ executable but it's nothing compared to what is required to deploy anything else.
-
I remember there being the option of using HTML or a Java applet, I chose the former
If you have the HTML5 option you should be on a pretty recent firmware.
Interesting that you'd prefer going (literally) analog connection rather than over the IPMI.
-
Before you make a change, do this in a screen-session:
sleep 300 && iptables-restore old_fw_rules.bak
permission denied
fuuuu
-
^This^ ^is^ ^a^ ^joke,^ ^I^ ^didn't^ ^really^ ^lock^ ^myself^ ^out^
Rescue mode with networking, mount drive, make changes and reboot.
-
even worse. I regularly have to get up out of my chair and go down 2 stairs.
Also this took a while to find, but : https://sourceforge.net/p/shorewall/svn/HEAD/tree/branches/4.2/Samples/one-interface/shorewall.conf
ADMINISABSENTMINDED=YesIs an actual setting in the config for the (now apparently unmaintained) Shorewall Firewall software/tool for linux.
If I remember correctly, it always checks on firewall rule changes if there is an active connection on port 22, and adds a special rule at the end to maintain that connection.
They don't build them like they used to anymore.
They don't build them like they used to anymore.
Well if we did, the way it works would be by telling a chatbot to enable ssh on port 22 at the end.
-
Would misusing the
ddcommand be considered a hardware failure?Yup, that's a bug in the chair-keyboard interface.
-
Oh, so it's inconvenient for GPL-circumventers, too? That just sounds better and better.
To me, it is mostly a real blocker for using it in some embedded Linux devices due to size constraints, otherwise I personally would be using it extensively.
