I had issues too that they sent a tech support out for while warning me "If they find it's your fault, you will be assessed a charge". The tech came out, climbed my local pole and then went down the street and climbed another one. He said it was a busted port and he moved me to a new one, and put in a service request to upgrade as it was out of ports.
CenturyLink sends me a bill for maintenance. After tons of back and forth I got to the point where I said "So can you state for the record since I'm recording this phone call, that I the customer should have climbed the telephone pole to remedy the issue".
After that he finally decides to get in touch with the fiber contractor they use who emphasized it was no fault of my own and they cleared the charge.
Some pretty interesting stuff that hits home for me. I was diagnosed with lung cancer in 2021 and I had an army of family and friends trying to find me a covid vaccine when it was only being offered to seniors 65+. Finally had a friend volunteering at a vaccination clinic which had some leftover and called me in. I wouldn't have considered it might impact my cancer treatment outside of them being unable to operate if I had covid.
There's a marked contrast between vaccinated and unvaccinated survival rates, and they pretty extensively tested and ruled out additional mechanisms they thought may be influencing their observations.
It is, which I'd argue has a time and a place.
Maybe it's more specific to how I cut my teeth in the industry but as programmer whenever I had to ask a question of e.g the ops team, I'd make sure it was clear I'd made an effort to figure out my problem. Here's how I understand the issue, here's what I tried yadda yadda.
Now I'm the 40-year-old ops guy fielding those questions. I'll write up an LLM question emphasizing what they should be focused on, I'll verify the response is in sync with my thoughts, and shoot it to them.
It seems less passive aggressive than LMGTFY and sometimes I learn something from the response.
Instead of spending this time, it is faster, simpler, and more effective to phrase these questions in the form "have you checked the docs and what did they say?"
I was diagnosed with stage III NSCLC February '21. Radiation, chemo, and a bilobectomy. I had the ALK+ morphology which meant I wasn't a candidate for immunotherapy but I've been on alectinib since my surgery in June '21 with no signs of recurrence so far.
The process is grueling in hindsight, but I'm glad to hear you're getting results. At first I would have said "if this is going to kill me, make it sooner rather than later" to avoid a drawn-out painful experience, but I'm starting to appreciate what the buying time really means. It's hard with all that's going on but get your head straight and make sure you enjoy it.
Could someone do me a solid and explain best security practices around bastion hosts and vpn?
e.g.
- would you still require users connected to the vpn to go through a bastion host?
- would you ever run bastion/vpn through the same box?
- are there preferred access use cases for each?
Yes, you would still have people connect to the bastion if they're on the VPN; part of the point of a bastion is to have a central place to monitor and control SSH access, which a VPN doesn't really do for you. Additionally, you will inevitably end up with team members who need access to the VPN (to reach staging and test versions of your applications, or to access customer support consoles) but don't get SSH access; a bastion gives you a standard configuration to apply to your fleet to ensure that "on the VPN" doesn't ever equate to "can log into a server".
You should generally do both things.
Wait, I should word that better. You should generally have both sets of controls: network access control with a VPN, and fine-grained, auditable SSH-level access control. I don't love the "Linux shell server" approach to providing those SSH controls.
Thanks for the response, that clears things up quite a bit. Would you create jump-boxes per environment or do you generally just have 1 with all the different service/env access logic?
It depends. It's more important to have some controls in place than to make super-complicated controls. Again: shell servers you SSH into to SSH out of are kind of an anti-pattern. See elsewhere on the thread about Teleport, which, combined with Tailscale, is I think a pretty good answer to these concerns.
I run an "internal" set of bastion hosts that are gateways into a system that runs telnet. This internal system is able to run SSH, but connections stop around 100 because of OS limits. We need to support 400-500 logins, and that has to be telnet. Everybody connecting has to go through these bastions, including VPN users.
I recently built an nspawn container with tinysshd server, with a .profile that execs telnet to the relevant system on login.
We had previously used an old version of Microfocus Reflections (terminal emulation) with stunnels deployed on all the clients and bastions. That was not containerized, but the server stunnels were set to chroot() on startup.
I recently was forced to support the latest version of Reflections, and since it doesn't support chacha-poly, I also built dropbear SSH server just for them. Reflections is very expensive (~$500/seat), and the best that it supports is aes256-ctr, using Tatu Ylonen's commercial ssh.com (which appears to be abandonware). I really hope we can get rid of that.
CenturyLink sends me a bill for maintenance. After tons of back and forth I got to the point where I said "So can you state for the record since I'm recording this phone call, that I the customer should have climbed the telephone pole to remedy the issue".
After that he finally decides to get in touch with the fiber contractor they use who emphasized it was no fault of my own and they cleared the charge.