by ezs | Jun 7, 2025 | evilzenscientist
Ah – the delights of the security dance.
This website, and others I maintain, use CloudFlare as the free front-end to safeguard against brute force and DDOS attacks. For several of these sites the geo-fencing is set to US only.
Last time round the certs failed to renew. Some troubleshooting, and the secondary challenge from the Let’s Encrypt ACME client was getting firewall denied at the Cloudflare side.
There is no allow-list of IPs, nor a single ASN to allow.
This FAQ from Let’s Encrypt is helpful – and I’ll probably need some process updates to make this more robust.
by ezs | Jun 7, 2025 | evilzenscientist
It’s that time of year again.
The SUSE Linux Enterprise Server roadmap is a great planning resource.
Upgrading from SLES 15 SP5 – and I got the choices of SP6 and SP7, the latter may be late public beta, release candidate or general availability. (Usually non-GA releases are flagged as such, so I suspect that the upstream repos have recently rolled over to GA. I’ll update over the coming week).
The usual zypper migration, resolve some dependency issues (deprecated packages, standalone items to make SLES 15 SP5 useful), accept the EULA, and ten minutes of updates and a reboot later.
Quick and easy.
by ezs | Apr 4, 2025 | evilzenscientist
Note for the future.
- Deletion performs a soft delete, which leaves the Log Management solution in place, which then can’t be deleted
- Make sure you do a hard delete, which allows the Log Management solution to be deleted.
I wish I remembered this every time.
by ezs | Apr 1, 2025 | evilzenscientist
Unmanaged disks (aka classic Azure disks) where the VHD lives inside a storage account are end of life at the end of September 2025.
We have a handful that are underpinning some older appliances.
Finding them is a simple Kusto search:
resources
| where type == “microsoft.compute/virtualmachines”
| join kind=leftouter (ResourceContainers | where type==’microsoft.resources/subscriptions’ | project subscriptionName=name, subscriptionId) on subscriptionId
| where properties.storageProfile.osDisk.managedDisk == “”
| extend osDiskName = properties.storageProfile.osDisk.name
| extend osDiskUri = properties.storageProfile.osDisk.vhd.uri
| project subscriptionName,resourceGroup, vmName = name, osDiskName, osDiskUri
| union (
resources
| where type == “microsoft.compute/virtualmachines”
| mvexpand dataDisk = properties.storageProfile.dataDisks
| where dataDisk.managedDisk == “”
| extend dataDiskName = dataDisk.name
| extend dataDiskUri = dataDisk.vhd.uri
| project vmName = name, dataDiskName, dataDiskUri, resourceGroup
)
by ezs | Mar 23, 2025 | evilzenscientist
Went into Mailchimp and did some much needed cleanup.
Archived some 50% of the mailing list that had unsubscribed.
I need to dig more into the platform, it’s been neglected for too long.
by ezs | Dec 4, 2024 | evilzenscientist
I’ve been using this term to describe football, aka American football, aka gridiron, for many many many years.
I was surprised that there were zero hits on either Google or Bing search for this term.
This is absolutely a blog post to make sure it gets indexed 😀
by ezs | Aug 29, 2024 | evilzenscientist
Today was the end of my experiment with MySQL PaaS in Azure.
To be honest – performance, metrics and security were as described. Private connectivity within the virtual network, horizontal and vertical scaling, great metrics.
I got burned twice.
Once with a “potential bug” that burned $65k of Azure spend in a few hours (that was eventually refunded!), more recently with the Azure portal throwing errors continually.
I’ve exported the data, reimported to an IaaS MySQL/MariaDB instance – and moved on.
by ezs | Jan 13, 2024 | evilzenscientist
This turned out to be really simple; and there are some really good tools and docs at https://dmarcian.com/
- set up DKIM DNS records
- CNAME selector1._domainkey –> selector1-{domain}._domainkey.{office365domain}.onmicrosoft.com
- CNAME selector2._domainkey –> selector2-{domain}._domainkey.{office365domain}.onmicrosoft.com
- set up DMARC DNS records
- TXT _dmarc –> correct DMARC policy
Then enable DKIM signing in the Defender portal https://security.microsoft.com
Email and Collaboration –> Policies and Rules –> Threat Policies –> Email Authentication settings
- select the domain, click on “sign messages for this domain with DKIM signatures”
It might take a while for the DNS records to propagate.
Finally test the DMARC and DKIM settings, I used the DMARC Record Checker https://dmarcian.com/domain-checker
If you end up looking to use DMARC reporting, and sending to a third party/alternate domain – you also need to set up DNS records in the receiving domain:
- set up External Domain Verification (EDV) records in DNS
- TXT {domain}._report._dmarc –> v=DMARC1
by ezs | Dec 24, 2023 | evilzenscientist
Note so I can find it next time:
storcli64 /c0 set alarm=silence
Docs here
by ezs | Nov 28, 2023 | evilzenscientist
If you’ve worked with Azure for any real length of time, there are limitations to what is stored in the Azure Activity Log – both in terms of content and retention.
The solution is to send Azure logs to a Log Analytics Workspace, and retain that for as long as you needed.
Today I needed to dig into an event that occured back in the summer, featuring Bastion. A simple Kusto query with the date range and searchable text got me results in a few moments. Some display filtering of the correct columns got me to a happy place.
// Log Analyics query
search “BastionHost” // search is case-insensitive
| where TimeGenerated between (datetime(2023-06-01) .. datetime(2023-06-15)) // date ranges
| project TimeGenerated, Caller, CorrelationId, SubscriptionId, ResourceGroup, OperationNameValue, Properties_d.resource, ActivityStatusValue
// just show the columns we care about (comment the entire line if you want all)
Recent Comments