serverfault.com

I'm currently going through each CIS checks to create an hardened Debian 13 AMI on AWS to launch EC2 instances. Rules from 1.1.2.1.1 to 1.1.2.7.4 are about configuring filesystem partitions. I don't know much about this and I'm wondering which is better : to partition 1 EBS disk or to add an EBS disk for each partition that should be separate.

I have a Palo Alto Next-Gen Firewall PA-VM instance in AWS and I'm trying to get it to fetch certs from AWS Secrets Manager. Can someone please clarify the actual procedure for getting a PA-VM to read a keypair from AWS Secrets Manager? I am trying to abide by the guidance in this document: https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/integrate-kms-for-cloud-native-key-management-aws ...but I find it very poorly explained, not worded well and missing crucial details. I'll get more into that at the end. I have no idea what PA-VM expects for a key/value in a Secret in Secrets Manager, but I went on to start with just the private-key file dumped into a Secret as raw text in a Secret called "palo-a

I'm trying to run HashiCorp Vault (v1.15.0) in Docker Compose on Ubuntu 26.04 LTS (ARM64), but the container immediately exits with two errors: IPC_LOCK warning: "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK" Port binding error: "Error initializing listener of type tcp: listen tcp4 0.0.0.0:8200: bind: address already in use" Despite lsof, netstat, and ss showing nothing listening on port 8200, Docker insists the port is occupied. This happens consistently even after: Stopping all containers Restarting Docker daemon Changing Vault to use port 8201 Removing all Docker networks and containers What I've tried: Basic troubleshooting: sudo lsof -i :8200 → No output sudo netstat -tulpn | grep :8200 → No output ss -tulpn | grep :8200 → No output docker container prune -f and docker network prune -f sudo systemctl restart doc

I have an EdgeRouter ERPro-8 router with 6 static IPs assigned to the WAN interface (eth6). I need hairpin NAT but checking Hairpin NAT under Firewall/NAT does not work. Requests to a public wan IP hit the WAN side of the EdgeRouter instead of redirecting back to the server. I tried adding a DNAT rule shown at https://help.uisp.com/hc/en-us/articles/22591184776983-EdgeRouter-Hairpin-NAT and it doesn't seem to work. What am I doing wrong.

I have a router with a public static IP address. When I'm outside my network and use my phone's cellular data, I can access the router public static IP (for remote management/services). However, when I connect my laptop to any Wi-Fi network and try to access the same public static IP, it doesn't work. Internet connectivity on the laptop works normally. Could this be related to NAT Loopback / Hairpin NAT not supported by the router? Firewall settings? DNS resolution issues? Something else? Has anyone experienced this before? What should I check to diagnose the problem?

Problem My current approach is WireGuard VPN access to each UniFi Cloud Gateway. However, mobile operating systems generally allow only one WireGuard tunnel to be active at a time. Switching between multiple VPN profiles manually is not practical for daily use, and it prevents simultaneous access to NVRs at different sites. I am aware that UniFi's cloud-based remote access could simplify this, but I would prefer not to use the UI.com cloud connection. The solution should remain self-managed where possible. At the same time, I am not looking for a highly complex enterprise design. A relatively simple and maintainable solution would be preferred. Question What is the recommended architecture for this scenario? Specifically: How do you provide mobile access to NVRs located behind multiple independent sites? Do you aggregate the sites into a central VPN hub, use site-to-site tunnels, or use another approach? What solution allows a

A Windows server has the Indexing service active, and is indexing some folder (and subfolders) that are exposed as a file share. You can use File Explorer to search for content in the shared folders on the server and it works as expected: it returns results even when the search terms are not in the file metadata. Windows clients (e.g. Windows 11) map to the file share. User enters same content search in File Explorer, with Seach options > File Contents not selected. The expected result is that the search will use the server-side index, but it doesn't work. Why not?

We're looking into some hybrid storage arrays. Specifically the IBM FlashSystem 5045, the Dell PowerVault ME5 series, and the HPE MSA 2062. All I find online so far is max IOPS in the hundreds of thousands or millions if its IBM but nothing on a more practical day to day basis. I understand it varies by workloads quite extensively but does anyone have any of these appliances or more real world numbers that they could share? Any practical information would be greatly appreciated. Our current appliance is an old Tegile T4100 for comparison with a variety of VMs on some old VMWare esxi setups.

To install the latest (stable) version of nginx, the nginx.org website recommends to download th signature key and add an entry to apt/sources.list.d. How can I automate the apt configuration, using puppet?

Our Environment: Active Directory domain domain.local, Forest and Domain Functional Level 2016 8 Domain Controllers (mixed Server 2019 and 2022) replication healthy (repadmin /replsummary: 0 errors) The Problem: Two computer objects were affected (both members of Server 2022 (HyperV VMs)). The servers were re-joined under new names after losing trust (rejoining over PowerShell was not possible). How it manifests over time: The AD-object becomes "frozen" at some unknown point (root cause unclear) Netlogon Event 3224 fires every 4 hours: machine account password change fails with the same internal error After several weeks the trust relationship breaks (the server can no longer authenticate against the domain) The administrator re-joins the server under a new name and the old object cannot be delete