CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Petar Cubela
2025-02-08 21:56:24 +01:00
commit 1f9564ca6a
471 changed files with 74368 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
projects/NAS-notification/List_of_Clients.md Normal file
View File

@@ -0,0 +1,78 @@
## Not specified
- [ ] AM-NAS-04 - AMSilk GmbH
- [ ] ALL-NAS-04 - Allude GmbH
- [ ] BETA-NAS-01 - Beta Film GmbH
- [ ] BETA-NAS-02 - Beta Film GmbH
- [ ] BETA-NAS-03 - Beta Film GmbH
- [ ] BETAS4 - Beta Film GmbH
- [ ] BHA-NAS-RGB-01 - bharchitektengesellschaft mbH
- [ ] BJKS-NAS-01 - BJKS Architekten und Ingenieure
- [ ] BZT-NAS-01 - Bürgerzentrum Trudering e.V.
- [ ] CHT-NAS-01 - CHAIN-TEC GmbH
- [ ] DANDL-NAS-01 - Dandl-Ögfa GmbH
- [ ] DPA-NAS-01 - Dinkel Persch Architekten GmbH
- [ ] DUB-NAS-01 - DUBAG Investment Advisory
- [ ] FGA-NAS-01 - Forth Grünig Architekten GmbH
- [ ] GATE-NAS-02 - Gate Garching
- [ ] GG-NAS-01 - Gymnasium Grünwald
- [ ] HMR-NAS-01 - Heilmaier GmbH Messedesign
- [ ] HTS-NAS-01 - High Tech Services GmbH
- [ ] IHM-NAS-01 - Italienische Handelskammer e.V.
- [ ] MAC-NAS-03 - MACCON GmbH & Co. KG
- [ ] MAC-NAS-04 - MACCON GmbH & Co. KG
- [ ] MEYER-NAS-03 - meyer.rechtsanwalts GmbH
- [ ] MN-NAS-05 - MAIER.NEUBERGER.ARCHITEKTEN GmbH
- [ ] MN-NAS04 - MAIER.NEUBERGER.ARCHITEKTEN GmbH
- [ ] NAS-EVT-02 - Grundschule Grasslfing
- [ ] NAS-HVT-01 - Grundschule Grasslfing
- [ ] NAS01 - 03 Arch. GmbH
- [ ] NAS01 - Joachim Rummel
- [ ] NAS01 - SciRhom GmbH
- [ ] NAS01 - TopConcept Management Beratungs GmbH
- [ ] NAS01 - jit electronic gmbh
- [ ] NAS02 - SciRhom GmbH
- [ ] NAS03 - Volkshochschule Unterhaching e.V.
- [ ] RCM-NAS-01 - Radiochemie München
- [ ] RLP-NAS-01 - REINHART Rechtsanwälte Partnerschaft mbB
- [ ] RackStation - Hans Ostner Installation- und Heizungsbau GmbH
- [ ] SINUS-NAS-02 - SINUS Personalmanagement GmbH
- [ ] SLG-NAS01 - Schlögel Bauingenieure GmbH
- [ ] SPGTV-NAS - Beta Film GmbH
- [ ] SYN1 - bharchitektengesellschaft mbH
- [ ] SYN3 - bharchitektengesellschaft mbH
- [ ] TGA-NAS-01 - TGA CONSULTING AG
- [ ] TGA-NAS-05 - TGA CONSULTING AG
- [ ] TH-NAS-01 - Thomas Helm GmbH
- [ ] WP-NAS-02 - zz (kein MSP) Weber Partner Sonnenschutzsysteme International GmbH
- [ ] WUH-BACKUP (NAS) - W&H Projektentwicklung GmbH & Co. Kirchlechner KG
- [ ] am-nas - AcadeMedia GmbH
- [ ] buf-nas-01 - Boschmann + Feth Architekten
- [ ] espec-nas-01 - ESPEC EUROPE GmbH
- [ ] hb-nas-01 - Architekturbüro Holzfurtner und Bahner
- [ ] hb-nas-03 - Architekturbüro Holzfurtner und Bahner
- [ ] hr-nas-01 - Architekturbüro Hannes Rössler
- [ ] hr-nas-02 - Architekturbüro Hannes Rössler
- [ ] kwa-server.knoppwassmer.de Synology NAS - Knopp Wassmer Architekten PartG mbB
- [ ] nas01 - GE-Planung GmbH
- [ ] nas01 - XELLER Villenbau & Planungs GmbH
- [ ] np-nas-01 - Nicolas Müller Landschaftsarchitekur
- [ ] null3-nas-03 - 03 Arch. GmbH
- [ ] rackstation-95 - studio2010 GmbH & Co KG
- [ ] ssr-server.studio-stadt-region.de Synology NAS - STUDIO STADT REGION Architektur & Stadtentwicklung
- [ ] wbe-nas-01 - WBE-Facility Management GmbH
## Non Hyper Backup NAS
- [x] NAS01 - 03 Arch. GmbH
- [x] null03-nas-03 - 03 Arch. GmbH
## Hyper Backup NAS
## Special
- [x] hb-nas-01 - Architektenbuero Holzfurtner und Bahner - SMTP set
- [x] hb-nas-02 - Architektenbuero Holzfurtner und Bahner - offline/does not exist?
- [x] hb-nas-03 - Architektenbuero Holzfurtner und Bahner - SMTP set

58
projects/NAS-notification/hyperbackup-list.md Normal file
View File

@@ -0,0 +1,58 @@
[ ] AM-NAS-04 - AMSilk GmbH
[ ] ALL-NAS-04 - Allude GmbH
[x] BETA-NAS-01 - Beta Film GmbH
[v] BETA-NAS-02 - Beta Film GmbH
[v] BETA-NAS-03 - Beta Film GmbH
[v] BETAS4 - Beta Film GmbH
[ ] BHA-NAS-RGB-01 - bharchitektengesellschaft mbH
[ ] BJKS-NAS-01 - BJKS Architekten und Ingenieure
[ ] BZT-NAS-01 - Bürgerzentrum Trudering e.V.
[ ] CHT-NAS-01 - CHAIN-TEC GmbH
[ ] DANDL-NAS-01 - Dandl-Ögfa GmbH
[ ] DPA-NAS-01 - Dinkel Persch Architekten GmbH
[ ] DUB-NAS-01 - DUBAG Investment Advisory
[ ] FGA-NAS-01 - Forth Grünig Architekten GmbH
[ ] GATE-NAS-02 - Gate Garching
[ ] GG-NAS-01 - Gymnasium Grünwald
[ ] HMR-NAS-01 - Heilmaier GmbH Messedesign
[ ] HTS-NAS-01 - High Tech Services GmbH
[ ] IHM-NAS-01 - Italienische Handelskammer e.V.
[x] MAC-NAS-03 - MACCON GmbH & Co. KG
[x] MAC-NAS-04 - MACCON GmbH & Co. KG
[v] MEYER-NAS-03 - meyer.rechtsanwalts GmbH
[x] ALLNET NAS - meyer.rechtsanwalts GmbH (Speicher fast voll/ Es sollte in NinjaOne umbenennt)
[x] MN-NAS-05 - MAIER.NEUBERGER.ARCHITEKTEN GmbH
[x] MN-NAS04 - MAIER.NEUBERGER.ARCHITEKTEN GmbH
[x] NAS-EVT-02 - Grundschule Grasslfing
[x] NAS-HVT-01 - Grundschule Grasslfing
[ ] NAS01 - Joachim Rummel
[x] NAS01 - SciRhom GmbH
[ ] NAS01 - TopConcept Management Beratungs GmbH
[ ] NAS01 - jit electronic gmbh
[x] NAS02 - SciRhom GmbH
[ ] NAS03 - Volkshochschule Unterhaching e.V.
[ ] RCM-NAS-01 - Radiochemie München
[ ] RLP-NAS-01 - REINHART Rechtsanwälte Partnerschaft mbB
[ ] RackStation - Hans Ostner Installation- und Heizungsbau GmbH
[ ] SINUS-NAS-02 - SINUS Personalmanagement GmbH
[ ] SLG-NAS01 - Schlögel Bauingenieure GmbH
[ ] SPGTV-NAS - Beta Film GmbH
[v] SYN1 - bharchitektengesellschaft mbH (Back up schon in IT-Glue dokumentiert)
[x] SYN3 - bharchitektengesellschaft mbH
[x] TGA-NAS-01 - TGA CONSULTING AG
[x] TGA-NAS-05 - TGA CONSULTING AG
[ ] TH-NAS-01 - Thomas Helm GmbH
[ ] WP-NAS-02 - zz (kein MSP) Weber Partner Sonnenschutzsysteme International GmbH
[ ] WUH-BACKUP (NAS) - W&H Projektentwicklung GmbH & Co. Kirchlechner KG
[ ] am-nas - AcadeMedia GmbH
[ ] buf-nas-01 - Boschmann + Feth Architekten
[ ] espec-nas-01 - ESPEC EUROPE GmbH
[x] hr-nas-01 - Architekturbüro Hannes Rössler (Neue Festplatte muss gekauft werden)
[x] hr-nas-02 - Architekturbüro Hannes Rössler
[ ] kwa-server.knoppwassmer.de Synology NAS - Knopp Wassmer Architekten PartG mbB
[ ] nas01 - GE-Planung GmbH
[ ] nas01 - XELLER Villenbau & Planungs GmbH
[ ] np-nas-01 - Nicolas Müller Landschaftsarchitekur
[ ] rackstation-95 - studio2010 GmbH & Co KG
[ ] ssr-server.studio-stadt-region.de Synology NAS - STUDIO STADT REGION Architektur & Stadtentwicklung
[ ] wbe-nas-01 - WBE-Facility Management GmbH

62
projects/NAS-notification/list-of-nases.csv Normal file
View File

@@ -0,0 +1,62 @@
ALL-NAS-04,Allude GmbH
RLP-NAS-01,REINHART Rechtsanwälte Partnerschaft mbB
HMR-NAS-01,Heilmaier GmbH Messedesign
nas01,XELLER Villenbau & Planungs GmbH
GG-NAS-01,Gymnasium Grünwald
WUH-BACKUP (NAS),W&H Projektentwicklung GmbH & Co. Kirchlechner KG
WP-NAS-02,zz (kein MSP) Weber Partner Sonnenschutzsysteme International GmbH
HTS-NAS-01,High Tech Services GmbH
AM-NAS-04,AMSilk GmbH
NAS01,jit electronic gmbh
ssr-server.studio-stadt-region.de Synology NAS,STUDIO STADT REGION Architektur & Stadtentwicklung
MN-NAS-05,MAIER.NEUBERGER.ARCHITEKTEN GmbH
NAS-EVT-02,Grundschule Grasslfing
NAS-HVT-01,Grundschule Grasslfing
kwa-server.knoppwassmer.de Synology NAS,Knopp Wassmer Architekten PartG mbB
SINUS-NAS-02,SINUS Personalmanagement GmbH
hb-nas-03,Architekturbüro Holzfurtner und Bahner
hb-nas-01,Architekturbüro Holzfurtner und Bahner
np-nas-01,Nicolas Müller Landschaftsarchitekur
IHM-NAS-01,Italienische Handelskammer e.V.
BETA-NAS-01,Beta Film GmbH
NAS03,Volkshochschule Unterhaching e.V.
BETAS4,Beta Film GmbH
TGA-NAS-05,TGA CONSULTING AG
TGA-NAS-01,TGA CONSULTING AG
DPA-NAS-01,Dinkel Persch Architekten GmbH
BETA-NAS-02,Beta Film GmbH
SPGTV-NAS,Beta Film GmbH
TH-NAS-01,Thomas Helm GmbH
MN-NAS04,MAIER.NEUBERGER.ARCHITEKTEN GmbH
nas01,GE-Planung GmbH
RCM-NAS-01,Radiochemie München
RackStation,Hans Ostner Installation- und Heizungsbau GmbH
NAS01,03 Arch. GmbH
null3-nas-03,03 Arch. GmbH
NAS01,TopConcept Management Beratungs GmbH
SLG-NAS01,Schlögel Bauingenieure GmbH
NAS01,SciRhom GmbH
NAS02,SciRhom GmbH
CHT-NAS-01,CHAIN-TEC GmbH
buf-nas-01,Boschmann + Feth Architekten
rackstation-95,studio2010 GmbH & Co KG
MAC-NAS-03,MACCON GmbH & Co. KG
DUB-NAS-01,DUBAG Investment Advisory
MAC-NAS-04,MACCON GmbH & Co. KG
BETA-NAS-03,Beta Film GmbH
BZT-NAS-01,Bürgerzentrum Trudering e.V.
am-nas,AcadeMedia GmbH
DANDL-NAS-01,Dandl-Ögfa GmbH
hr-nas-01,Architekturbüro Hannes Rössler
hr-nas-02,Architekturbüro Hannes Rössler
NAS01,Joachim Rummel
SYN1,bharchitektengesellschaft mbH
wbe-nas-01,WBE-Facility Management GmbH
SYN3,bharchitektengesellschaft mbH
GATE-NAS-02,Gate Garching
espec-nas-01,ESPEC EUROPE GmbH
ALLNET NAS,meyer.rechtsanwalts GmbH
MEYER-NAS-03,meyer.rechtsanwalts GmbH
BHA-NAS-RGB-01,bharchitektengesellschaft mbH
FGA-NAS-01,Forth Grünig Architekten GmbH
BJKS-NAS-01,BJKS Architekten und Ingenieure
1 ALL-NAS-04 Allude GmbH
2 RLP-NAS-01 REINHART Rechtsanwälte Partnerschaft mbB
3 HMR-NAS-01 Heilmaier GmbH Messedesign
4 nas01 XELLER Villenbau & Planungs GmbH
5 GG-NAS-01 Gymnasium Grünwald
6 WUH-BACKUP (NAS) W&H Projektentwicklung GmbH & Co. Kirchlechner KG
7 WP-NAS-02 zz (kein MSP) Weber Partner Sonnenschutzsysteme International GmbH
8 HTS-NAS-01 High Tech Services GmbH
9 AM-NAS-04 AMSilk GmbH
10 NAS01 jit electronic gmbh
11 ssr-server.studio-stadt-region.de Synology NAS STUDIO STADT REGION Architektur & Stadtentwicklung
12 MN-NAS-05 MAIER.NEUBERGER.ARCHITEKTEN GmbH
13 NAS-EVT-02 Grundschule Grasslfing
14 NAS-HVT-01 Grundschule Grasslfing
15 kwa-server.knoppwassmer.de Synology NAS Knopp Wassmer Architekten PartG mbB
16 SINUS-NAS-02 SINUS Personalmanagement GmbH
17 hb-nas-03 Architekturbüro Holzfurtner und Bahner
18 hb-nas-01 Architekturbüro Holzfurtner und Bahner
19 np-nas-01 Nicolas Müller Landschaftsarchitekur
20 IHM-NAS-01 Italienische Handelskammer e.V.
21 BETA-NAS-01 Beta Film GmbH
22 NAS03 Volkshochschule Unterhaching e.V.
23 BETAS4 Beta Film GmbH
24 TGA-NAS-05 TGA CONSULTING AG
25 TGA-NAS-01 TGA CONSULTING AG
26 DPA-NAS-01 Dinkel Persch Architekten GmbH
27 BETA-NAS-02 Beta Film GmbH
28 SPGTV-NAS Beta Film GmbH
29 TH-NAS-01 Thomas Helm GmbH
30 MN-NAS04 MAIER.NEUBERGER.ARCHITEKTEN GmbH
31 nas01 GE-Planung GmbH
32 RCM-NAS-01 Radiochemie München
33 RackStation Hans Ostner Installation- und Heizungsbau GmbH
34 NAS01 03 Arch. GmbH
35 null3-nas-03 03 Arch. GmbH
36 NAS01 TopConcept Management Beratungs GmbH
37 SLG-NAS01 Schlögel Bauingenieure GmbH
38 NAS01 SciRhom GmbH
39 NAS02 SciRhom GmbH
40 CHT-NAS-01 CHAIN-TEC GmbH
41 buf-nas-01 Boschmann + Feth Architekten
42 rackstation-95 studio2010 GmbH & Co KG
43 MAC-NAS-03 MACCON GmbH & Co. KG
44 DUB-NAS-01 DUBAG Investment Advisory
45 MAC-NAS-04 MACCON GmbH & Co. KG
46 BETA-NAS-03 Beta Film GmbH
47 BZT-NAS-01 Bürgerzentrum Trudering e.V.
48 am-nas AcadeMedia GmbH
49 DANDL-NAS-01 Dandl-Ögfa GmbH
50 hr-nas-01 Architekturbüro Hannes Rössler
51 hr-nas-02 Architekturbüro Hannes Rössler
52 NAS01 Joachim Rummel
53 SYN1 bharchitektengesellschaft mbH
54 wbe-nas-01 WBE-Facility Management GmbH
55 SYN3 bharchitektengesellschaft mbH
56 GATE-NAS-02 Gate Garching
57 espec-nas-01 ESPEC EUROPE GmbH
58 ALLNET NAS meyer.rechtsanwalts GmbH
59 MEYER-NAS-03 meyer.rechtsanwalts GmbH
60 BHA-NAS-RGB-01 bharchitektengesellschaft mbH
61 FGA-NAS-01 Forth Grünig Architekten GmbH
62 BJKS-NAS-01 BJKS Architekten und Ingenieure

62
projects/NAS-notification/sorted-nas-list.csv Normal file
View File

@@ -0,0 +1,62 @@
ALLNET NAS,meyer.rechtsanwalts GmbH
AM-NAS-04,AMSilk GmbH
BETA-NAS-01,Beta Film GmbH
BETA-NAS-02,Beta Film GmbH
BETA-NAS-03,Beta Film GmbH
BETAS4,Beta Film GmbH
BHA-NAS-RGB-01,bharchitektengesellschaft mbH
BJKS-NAS-01,BJKS Architekten und Ingenieure
BZT-NAS-01,Bürgerzentrum Trudering e.V.
CHT-NAS-01,CHAIN-TEC GmbH
DANDL-NAS-01,Dandl-Ögfa GmbH
DPA-NAS-01,Dinkel Persch Architekten GmbH
DUB-NAS-01,DUBAG Investment Advisory
FGA-NAS-01,Forth Grünig Architekten GmbH
GATE-NAS-02,Gate Garching
GG-NAS-01,Gymnasium Grünwald
HMR-NAS-01,Heilmaier GmbH Messedesign
HTS-NAS-01,High Tech Services GmbH
IHM-NAS-01,Italienische Handelskammer e.V.
MAC-NAS-03,MACCON GmbH & Co. KG
MAC-NAS-04,MACCON GmbH & Co. KG
MEYER-NAS-03,meyer.rechtsanwalts GmbH
MN-NAS-05,MAIER.NEUBERGER.ARCHITEKTEN GmbH
MN-NAS04,MAIER.NEUBERGER.ARCHITEKTEN GmbH
NAS-EVT-02,Grundschule Grasslfing
NAS-HVT-01,Grundschule Grasslfing
NAS01,03 Arch. GmbH
NAS01,Joachim Rummel
NAS01,SciRhom GmbH
NAS01,TopConcept Management Beratungs GmbH
NAS01,jit electronic gmbh
NAS02,SciRhom GmbH
NAS03,Volkshochschule Unterhaching e.V.
RCM-NAS-01,Radiochemie München
RLP-NAS-01,REINHART Rechtsanwälte Partnerschaft mbB
RackStation,Hans Ostner Installation- und Heizungsbau GmbH
SINUS-NAS-02,SINUS Personalmanagement GmbH
SLG-NAS01,Schlögel Bauingenieure GmbH
SPGTV-NAS,Beta Film GmbH
SYN1,bharchitektengesellschaft mbH
SYN3,bharchitektengesellschaft mbH
TGA-NAS-01,TGA CONSULTING AG
TGA-NAS-05,TGA CONSULTING AG
TH-NAS-01,Thomas Helm GmbH
WP-NAS-02,zz (kein MSP) Weber Partner Sonnenschutzsysteme International GmbH
WUH-BACKUP (NAS),W&H Projektentwicklung GmbH & Co. Kirchlechner KG
am-nas,AcadeMedia GmbH
buf-nas-01,Boschmann + Feth Architekten
espec-nas-01,ESPEC EUROPE GmbH
hb-nas-01,Architekturbüro Holzfurtner und Bahner
hb-nas-03,Architekturbüro Holzfurtner und Bahner
hr-nas-01,Architekturbüro Hannes Rössler
hr-nas-02,Architekturbüro Hannes Rössler
kwa-server.knoppwassmer.de Synology NAS,Knopp Wassmer Architekten PartG mbB
nas01,GE-Planung GmbH
nas01,XELLER Villenbau & Planungs GmbH
np-nas-01,Nicolas Müller Landschaftsarchitekur
null3-nas-03,03 Arch. GmbH
rackstation-95,studio2010 GmbH & Co KG
ssr-server.studio-stadt-region.de Synology NAS,STUDIO STADT REGION Architektur & Stadtentwicklung
wbe-nas-01,WBE-Facility Management GmbH
ALL-NAS-04,Allude GmbH
1 ALLNET NAS meyer.rechtsanwalts GmbH
2 AM-NAS-04 AMSilk GmbH
3 BETA-NAS-01 Beta Film GmbH
4 BETA-NAS-02 Beta Film GmbH
5 BETA-NAS-03 Beta Film GmbH
6 BETAS4 Beta Film GmbH
7 BHA-NAS-RGB-01 bharchitektengesellschaft mbH
8 BJKS-NAS-01 BJKS Architekten und Ingenieure
9 BZT-NAS-01 Bürgerzentrum Trudering e.V.
10 CHT-NAS-01 CHAIN-TEC GmbH
11 DANDL-NAS-01 Dandl-Ögfa GmbH
12 DPA-NAS-01 Dinkel Persch Architekten GmbH
13 DUB-NAS-01 DUBAG Investment Advisory
14 FGA-NAS-01 Forth Grünig Architekten GmbH
15 GATE-NAS-02 Gate Garching
16 GG-NAS-01 Gymnasium Grünwald
17 HMR-NAS-01 Heilmaier GmbH Messedesign
18 HTS-NAS-01 High Tech Services GmbH
19 IHM-NAS-01 Italienische Handelskammer e.V.
20 MAC-NAS-03 MACCON GmbH & Co. KG
21 MAC-NAS-04 MACCON GmbH & Co. KG
22 MEYER-NAS-03 meyer.rechtsanwalts GmbH
23 MN-NAS-05 MAIER.NEUBERGER.ARCHITEKTEN GmbH
24 MN-NAS04 MAIER.NEUBERGER.ARCHITEKTEN GmbH
25 NAS-EVT-02 Grundschule Grasslfing
26 NAS-HVT-01 Grundschule Grasslfing
27 NAS01 03 Arch. GmbH
28 NAS01 Joachim Rummel
29 NAS01 SciRhom GmbH
30 NAS01 TopConcept Management Beratungs GmbH
31 NAS01 jit electronic gmbh
32 NAS02 SciRhom GmbH
33 NAS03 Volkshochschule Unterhaching e.V.
34 RCM-NAS-01 Radiochemie München
35 RLP-NAS-01 REINHART Rechtsanwälte Partnerschaft mbB
36 RackStation Hans Ostner Installation- und Heizungsbau GmbH
37 SINUS-NAS-02 SINUS Personalmanagement GmbH
38 SLG-NAS01 Schlögel Bauingenieure GmbH
39 SPGTV-NAS Beta Film GmbH
40 SYN1 bharchitektengesellschaft mbH
41 SYN3 bharchitektengesellschaft mbH
42 TGA-NAS-01 TGA CONSULTING AG
43 TGA-NAS-05 TGA CONSULTING AG
44 TH-NAS-01 Thomas Helm GmbH
45 WP-NAS-02 zz (kein MSP) Weber Partner Sonnenschutzsysteme International GmbH
46 WUH-BACKUP (NAS) W&H Projektentwicklung GmbH & Co. Kirchlechner KG
47 am-nas AcadeMedia GmbH
48 buf-nas-01 Boschmann + Feth Architekten
49 espec-nas-01 ESPEC EUROPE GmbH
50 hb-nas-01 Architekturbüro Holzfurtner und Bahner
51 hb-nas-03 Architekturbüro Holzfurtner und Bahner
52 hr-nas-01 Architekturbüro Hannes Rössler
53 hr-nas-02 Architekturbüro Hannes Rössler
54 kwa-server.knoppwassmer.de Synology NAS Knopp Wassmer Architekten PartG mbB
55 nas01 GE-Planung GmbH
56 nas01 XELLER Villenbau & Planungs GmbH
57 np-nas-01 Nicolas Müller Landschaftsarchitekur
58 null3-nas-03 03 Arch. GmbH
59 rackstation-95 studio2010 GmbH & Co KG
60 ssr-server.studio-stadt-region.de Synology NAS STUDIO STADT REGION Architektur & Stadtentwicklung
61 wbe-nas-01 WBE-Facility Management GmbH
62 ALL-NAS-04 Allude GmbH

11
projects/OPNsense/Initial-Notes/OPNsense-about.md Normal file
View File

@@ -0,0 +1,11 @@
**OPNsense** is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
OPNsense started as a fork of pfSense and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of bot m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project.
OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.
## Mission Statement
> "Our mission is to make OPNsense the most widely used open source security platform. We give users, developers and business a friendly, stable and transparent environment.
> The project's name is derived from open and sense stands for: 'Open (source) makes sense.'"

43
projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md Normal file
View File

@@ -0,0 +1,43 @@
---
title: "OPNsense - Maintenance time estimate"
author: Petar Cubela
date: July 03, 2024
geometry: margin=1.5cm
output: pdf_document
---
## Intro
Let us roughly calculate the time needed to maintain a OPNsesne firewall.
Here we assumer that the firewall is already configured. Thus we are looking at standard maintenance of the device.
## OPNcentral
We are using OPNcentral which is able to monitor arbitrary numbers of OPNsense firewalls:
- it manually/automatically creates backups of all integrated firewalls
- backups can be read and compared for any firewall integrated in OPNcentral
- firmware, services and resources status of each OPNsense firewall can be managed via OPNcentral
- plugin configuration can be managed and send to each firewall via OPNcentral
## Time Consumption
- updates have to been done regularly which can be checked and updated for all firewalls simultaneously via OPNcentral (~ 1h per month for all firewalls!)
- in general the firewall will run flawlessly once setup without much interaction as long as nothing complicated has to be changed.
- changes in the configuration for known features should be in general simple (~1h per month for all firewalls!)
- changes for new plugins should take longer depending on the plugin but happens seldom (few/many days depending on plugin once each half year)
- OpenVPN integration is better integrated in Sophos. We will probably need to export the client configuration for each user (~ 1h per week for each firewall, depending on the number of users requiring vpn)
- there can be unexpected problems with the firewall in production use which we have to test and can not assess pre-usage (~ 1h per month a firewall)
### Estimation
- ~ 1h/month for updates
- ~ 1h/month for small config changes
- ~ up to days for configuring new desired plugins. happens once per year/half year?
- ~ 1h/month for vpn client export
- ~ 1h/month for unexpected issues/tickets
Which summarizes to **~ 4 hours per month** and more when new not-so-known plugins have to be configured.

38
projects/OPNsense/Initial-Notes/OPNsense-config.md Normal file
View File

@@ -0,0 +1,38 @@
## Intro
Start from beginning with factory settings.
### TODO
- [x] create sbxadmin user
- [x] Enable ssh
- [x] check wan is working
- [x] familiarize with Center management
- [x] manage opnsense via wan port (use DynDNS)
- [ ] try cluster of two opnsense nodes in proxmox
### Comments
- Very loooong boot times
## Enable LAN Bridge
Links to manuals:
- <https://docs.opnsense.org/manual/how-tos/lan_bridge.html>
- <https://kb.protectli.com/kb/how-to-enable-lan-bridge-in-opnsense/>
## Enable SSH
System -> Settings -> Administration -> Secure Shell
- **Check** Enable Secure Shell
- Login Group: wheel, admins
- **DO NOT** permit root user login
- Permit password login
- Changed ssh port to 69
## Central Management
Follow: <https://docs.opnsense.org/vendor/deciso/opncentral.html>

8
projects/OPNsense/Initial-Notes/OPNsense-config_summary.md Normal file
View File

@@ -0,0 +1,8 @@
## DONE
- general settings
- SSH settings
- Networkflow config (optional??)
- Setup OpenVPN (authentication via local database)
- local backup for OPNcentral
- backup for hosts via OPNcentral

16
projects/OPNsense/Initial-Notes/OPNsense-future.md Normal file
View File

@@ -0,0 +1,16 @@
- mailgateway
- reverse proxy (web application firewall)
- ssl/tsl inspection and decryption
- VPN authentication via Active Directory
## TODO
- [x] setup simple web server on a virtual linux machine
- [x] setup smtp in a virtual linux machine
- [x] set the test sever in opnsense's network
## Notes
VPN: Jan passwd: itKE=-gcbXN.=46

3
projects/OPNsense/Initial-Notes/OPNsense.md Normal file
View File

@@ -0,0 +1,3 @@
[[OPNsense-about]]
[[OPNsense-config]]
[[OPNsense-config_summary]]

4
projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md Normal file
View File

@@ -0,0 +1,4 @@
## Introduction
An _Intrusion Detection System_ (IDS) watches network traffic for suspicious patterns and can alert operators when a pattern matches a database of known behaviors.
An _Intrusion Prevention System_ (IPS) goes a step further by inspecting each packet as it traverses a network interface to determine if the packet is suspicious in some way. If it matches a known pattern the system can drop the packet in an attempt to mitigate a threat.

38
projects/OPNsense/apsa-pfsense_vs_opnsense/setup-notes.md Normal file
View File

@@ -0,0 +1,38 @@
## Location
Schwanthalerstr. 106
Backup key: f2e3e44045f5da80fa7cfd2ccf38c4b03686764715398c20f538d12817670b63
## Questions
- Ist the VLAN tag 7 for the pppoe manually set
- Gast interface ipv6 prefixx id of 1 not working
- do we need router advertisement?
## Credentials
### PPPoe
![ppp confitg](/files/apsa/pfsense_ppp-setup.png)
- username: vdsl.vodafone/bi9442189781-static
- password: cnh2bWJ3Y2w= (hashed via base64)
### DynDNS
- username: apsa-muc.spdns.de
- password: YnptYi11ZGd1LWJ2d2I= (hashed via base64)
## Config in place
- PPPoe
- DynDNS
## Pass
pfsense/opnsense local: admin, pass: xfapimsgwztkojrulqeb
pfsense/opnsense rz: admin, pass: xfapimsgwztkojrulqeb

21
projects/OPNsense/opnsense-bussines-edition.md Normal file
View File

@@ -0,0 +1,21 @@
## Intro
[Source](https://docs.opnsense.org/be.html#)
> A mission critical version of the well-known OPNsense firewall.
> The Business Edition offers additional safeguards where functional changes are being included in a more conservative manner and feedback has been collected from development and community.
> Offering specific business-oriented features and third party security verification. Currently, the only open source LINCE compliant firewall.
> - Mission critical
> - LINCE compliant (security verification by trained third party independent professionals)
> - Commercial firmware repository
> - Free GeoIP database
> - Official OPNsense Open Virtualisation Image
> - Central Management, including easy one click remote host access, provisioning and monitoring.
> - Web Application Firewall
> - Free E-Book (English & German)
### More Information
- [Central Management](https://docs.opnsense.org/vendor/deciso/opncentral.html)
- [Web Application Firewall](https://docs.opnsense.org/vendor/deciso/opnwaf.html)
- [Extended Blocklist](https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html)

17
projects/OPNsense/opnsense-central-management.md Normal file
View File

@@ -0,0 +1,17 @@
## MyNotes
- It is advised to generate proper certificates for the machines.
## Installation
Install `os-OPNcentral` under System->Firmware->Plugins
## Register new hosts
- Generate an API key and secret from the machine which should be granted access to.
- API keys are managed in the user manager
-
## Provisioning Classes

62
projects/OPNsense/opnsense-checklists.md Normal file
View File

@@ -0,0 +1,62 @@
## Sbx Office IP
- 213.160.17.142/28
- 213.160.17.141
## Generic Checklist
- [x] Set WAN - generic DHCP
- [x] Set LAN - generic 192.168.1.1
- [x] timezone: Europe/Berlin
- [x] Set Hostname (OPNsense) , domain name (localhost)
- [x] ntp server
- [x] static dns setup
- [x] std sbxadmin user
- [x] enable assess log (system -> settings -> administration)
- [x] LAN Bridge - generic all ports in bridge except igc1 (second port) is WAN port
- [x] enable ssh: enable, DO NOT permit root login, permit password login, port: 22
- [ ] firewall rules (LAN, WLAN, WLAN Guest {drop packets to LAN} ), std port activation
- [ ] local backups
- [ ] add office public ip as trusted (wan only reachable via office ip)
### Optional
- [x] web filtering
- [x] http scanning
- [ ] application control
- [x] ssl/tls inspection
- [ ] ssl certificates
### Mandatory Plugins
- [x] OPNcentral (for central management)
## Special Checklist
- [ ] add license TO: system -> firmware -> settings
- [ ] WAN - static config or pppoe or whatever
- [ ] LAN - ip network
- [ ] domain name (gw.domain.tld)
- [ ] ldap server config
- [ ] system update on first boot! (WITH BUSSINES LICENSE)
- [ ] setup dhcp server if used
- [ ] connect to opncentral
- [ ] create backups to opncentral
- [ ] setup ldap server
- [ ] setup openvpn server with authentication via ldap
## OPNsense Importer
> "All Full Images have the OPNsense Importer feature that offers flexibility in recovering failed firewalls, testing new releases without overwriting the current installation by running the new version in memory with the existing configuration or migrating configurations to new hardware installations."
- Create generic standard config to import at each customer install.
## OPNcentral Provisioning
We can use OPNcentral to provision the configuration of the customer's device, which is probably more useful than using the importer. Has to be tested.
## Notes
- ATTENTION: On first initial install bussines license has to be configured before updating!!
- DNS Servers: Cloudflare

86
projects/OPNsense/opnsense-frankeriger-current.md Normal file
View File

@@ -0,0 +1,86 @@
## Intro
The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care.
The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard.
### Plugins
- os-OPNcentral
- os-squid
- os-clamav
- os-c-icap
- os-acme-client
## Sophos features to reproduce
### Network
- [x] LAN port has a static network of: 192.168.9.254/24
- [x] default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127
- [ ] WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall)
- [ ] ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on
- [x] DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration)
- [x] DNS servers are: itself, and choose arbitrary monopolistic techgiant
- [ ] ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued
### Authentication
- [x] Require MFA for: user portal, web admin console
- [ ] setup ad as "server" in opnsense
- [ ] import users form ad!!! (I hope it works...)
#### Not required
- [y] Kerberos for authenticating non-AD users (web authentication??)
- [y] captive portal
### Miscellaneous
- [x] sophos antivirus alternative (clamav + c-icap + squid web proxy)
- [x] SSL VPN - Needs to be tested properly
- [x] using SSL/TLS inspection with squid (transparent web proxy)
## Firewall rules to reproduce
- [x] allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf)
- [x] allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf)
- [ ] service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer
- [x] allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" )
## IPS
- [x] default general policies
- [x] built-in [suricata](https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/)
## Web Proxy
- [x] risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools
- [x] https encryption
- [x] managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list)
### Optional
The following features are too complicated and thus only optional.
## Web application firewall
- [ ] too complicated
## Wireless
- [ ] does it need to be configured on opnsense???
## Mail protection
- [y] scan ~~outgoing~~ incoming mails for malware (why??)
## Web Server
- not used

5
projects/OPNsense/opnsense-planing.md Normal file
View File

@@ -0,0 +1,5 @@
1. Learn Central Management
2. Include firewall to OPNcentral
3. Setup acme for ssl/ setup OPNWAF with acme included
4. Provision OPNsense Firewall via central management

40
projects/OPNsense/opnsense-proposal-draft.md Normal file
View File

@@ -0,0 +1,40 @@
## Introduction
Goal: Propose a UTM firewall based on the opnsense operating system to the customer.
Make "Bundles" including different kind of features with different price tags:
### Features
#### Main
- Base setup (routing, generic config, firewall rules, vlans, authentication via ad, etc...)
- VPN (standard OpenVPN)
- Free SSL certs (via ACME and Lets Encrypt) with auto-renewal
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL inspection, managed TLS exclusion, https de-/encryption) (!NOTE!: opnsense ca needs to be trusted from every client, which can be distributed by a GPO rule)
- Extend Feature of OPNsense Antivirus (with clamav + c-icap)
- IDS/IPS Protection via Suricata
#### Not implemented yet
- Mail Protection via Mail Relay on OPNsense
- WAF
#### Optional
- DynDNS
- Backup of config to google cloud, git or nextcloud (standard is backup locally and to opncentral)
- `OPNProxy`-Plugin extends Web Proxy to fine grained control of user/group access to certain domains/urls
### Bundles
#### Level 1
- Base
- VPN
- SSL certs (can be managed centrally by opncentral and pushed to specific customers when needed)
#### Level 2
- Web Proxy + Antivirus
- IDS/IPS Protection
#### Level 3
- Mail Protection
- WAF

38
projects/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md Normal file
View File

@@ -0,0 +1,38 @@
## Source
- <https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/>
- <https://docs.opnsense.org/manual/ips.html>
## Introduction
> "The Intrusion Prevention System (IPS) system of OPNsense is based on Suricata and utilizes Netmap to enhance performance and minimize CPU utilization. This deep packet inspection system is very powerful and can be used to detect and mitigate security threats at wire speed."
## Initial Settings
1. Got to "Services > Intrusion Detection > Administration" which defaults to the "Settings" tab
2. Click the "Enable" checkbox to activate intrusion detection
3. Activate IPS by checking "IPS mode"
4. Optional: If using VLANs, check the "Promiscuous mode" checkbox
5. Set the pattern matcher as "Hyperscan"
6. As Interface choose "LAN" to monitory the local network traffic
7. When finished click "Apply" to save the settings.
Even though intrusion detection is enabled nothing will happen until we have
downloaded some rule sets and configure at least one policy.
Below you see a picture of the network configuration:
![img1](opnsense/idsips/settings.png)
## Downloading and Enabling Rulesets
**(NOTE FOR ME: It has yet too be decided which rules we will use eventually. This
also depends on the specific customer' needs.)**
1. Change to the "Download" tab.
2. Select all pre-defined lists (depends on customer' needs) and click on "Enable
selected" and directly after "Download & Update Rules"
3.
![img2](opnsense/idsips/downloads.png)
## Creating a Policy

3
projects/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md Normal file
View File

@@ -0,0 +1,3 @@
## Source
- <https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/>

15
projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md Normal file
View File

@@ -0,0 +1,15 @@
## UTM Configuration
- [x] ids/ips (suricata)
- [ ] web proxy
- [ ] antivirus
- [ ] openvpn
- [ ] acme
- [ ] mail protection
- [ ] waf
## Non-common
- [ ] VLAN
- [ ] LAGG

105
projects/TU_Homepage/DokuWiki_Install.md Normal file
View File

@@ -0,0 +1,105 @@
## Ressources
- [Install](https://www.dokuwiki.org/install)
- [security](https://www.dokuwiki.org/security)
- [php](https://www.dokuwiki.org/install:php#php_configuration_for_dokuwiki)
- [non-official install](https://landchad.net/dokuwiki/)
- [installer.php](https://www.dokuwiki.org/installer)
- [download page](https://download.dokuwiki.org/)
- [used tarball](https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz)
## History
Install web server (ngnix), php and its desired modules:
```sh
apt install nginx php php-fpm php-xml php-mbstring php-zip php-intl php-gd php-json php-bz2
```
Download the [tarball](https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz) , unpack the distribution tarball and upload/copy the files to your webspace:
```sh
wget https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
tar xzvf dokuwiki-stable.tgz
mv dokuwiki-*a /var/www/dokuwiki
chown -R www-data:www-data /var/www/dokuwiki
```
Create the nginx config file at `/etc/nginx/sites-available/example.com` with the following input.
Nginx config example(change accordingly to your needs. mainly change "server_name"):
```conf
server {
listen 80;
listen [::]:80;
server_name example.com 10.0.0.10;
# Maximum file upload size is 4MB - change accordingly if needed
client_max_body_size 4M;
client_body_buffer_size 128k;
root /var/www/dokuwiki;
index doku.php;
#Remember to comment the below out when you're installing, and uncomment it when done.
location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; }
# .ht - .htaccess, .htpasswd, .htdigest, .htanything
# .git, .hg, .svn - Git, Mercurial, Subversion.
# .vs - Visual Studio (Code)
# All directories except lib.
# All "other" files that you dont want to delete, but dont want public.
location ~ /(\.ht|\.git|\.hg|\.svn|\.vs|data|conf|bin|inc|vendor|README|VERSION|SECURITY.md|COPYING|composer.json|composer.lock) {
# Returns 403
deny all;
#return 404;
}
#Support for X-Accel-Redirect
location ~ ^/data/ { internal ; }
location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ {
expires 365d;
}
location / { try_files $uri $uri/ @dokuwiki; }
location @dokuwiki {
# rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
}
location ~ \.php$ {
try_files $uri $uri/ /doku.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:/var/run/php/php-fpm.sock;
# fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version
}
}
```
Enable the Website:
```sh
ln -s /etc/nginx/sites-available/dokuwiki /etc/nginx/sites-enabled/
```
Restart nginx and php in order for the changes to take effect:
```sh
systemctl restart nginx && systemctl restart php8.2-fpm
```
To run the installer, open the page http://DokuWiki-IP/install.php in the web browser. Follow [installer.php manual](https://www.dokuwiki.org/installer).
Once thats done, remember to uncomment the location line on the nginx configuration file.
Open `/etc/nginx/sites-available/dokuwiki` with a text editor and remove the “#” symbol at the beginning of the line.
Reload nginx once again so that the changes take effect.
```sh
systemctl restart nginx
```

0
projects/beta/windows-auto-deployment.md Normal file
View File

31
projects/blocherer/sg125-to-opnsense.md Normal file
View File

@@ -0,0 +1,31 @@
## Todo
- [ ] change passwords of users
- [ ] delete WANsbx
## notes
### PPPoe
M-Net Premium 100/40
Pub IP: "80.81.11.208/32"
Username: XA10636023@mdsl.mnet-online.de
Password: UmbKmYsh
Interface SG: eth1
Interface OPNsense: ix1
VLAN tag: 40
### networks
#### Direktorat-netz
Static IP: 192.168.1.2/24
Interface SG: eth2
Interface OPNsense: ix0
#### Schul-netz
Static IP: 192.168.2.4/24
Interface SG: eht0
Interface OPNsense: ix2

45
projects/dav/20241125-owncloud-migration.md Normal file
View File

@@ -0,0 +1,45 @@
## Introduction
### Time and Space
- Locale: Anni-Albers-Str. 7
- Time: 26.11.24 (09:30) and 17.12.2024
- Contact: Michel Naundorf
### Company Size
### Requirements
- Use Ubuntu 24.04 LTS or 22.04 LTS (isos installed)
- owncloud knowledge (how to install)
### Recommended Environment
| Platform | Options |
| ----------- | --------------------------------------- |
| OS | Ubuntu 20.04 LTS |
| DB | MariaDB 10.11 |
| Redis | >=6 |
| Web Server | Apache 2.4 with `prefork` and `mod_php` |
| PHP runtime | 7.4 |
## In presence appointment
### Goal
Try to upgrade the Ubuntu instance in-place from Ubuntu 16.04 LTS as far as possible.
They provide a test instance which can be tested with.
My task is too just test if it is possible to upgrade the instance in-place.
### Facts
#### Test Machine
- data are on 2 separate physical drives
## Resources
- [Deployment Recomendations](https://doc.owncloud.com/server/next/admin_manual/installation/deployment_recommendations.html)
- [Quick Install - Ubuntu 22.04](https://doc.owncloud.com/server/next/admin_manual/installation/quick_guides/ubuntu_22_04.html)

8
projects/dav/20241129-ansible-owncloud.md Normal file
View File

@@ -0,0 +1,8 @@
## Introduction
Build ansible playbook which automatically deploys a LAMP stack with owncloud.
## Test Environment
- Use Vagrant

9
projects/dav/20241217-final_act.md Normal file
View File

@@ -0,0 +1,9 @@
## Steps
- Use Test Instance to migrate owncloud
- Setup test Instance
- Setup new test instance
- Migrate dabase
- Migrate date
- Recreate SSL setup

31
projects/discopharma/reverse-proxy.md Normal file
View File

@@ -0,0 +1,31 @@
## Notes
- I need for testing a separate dns server
- build a test environment on our proxmox instance
## Init Meeting
- reverse proxy aufsetzen
- bestehende maschinen brauchen nicht angefasst zu werden
- ssl zertifikate bestehen
### Steps
- ansible script which sets up caddy with own certificates (research how to run against google cloud engine)
- create plan of reverse proxy function
- test against own infrastructure
- apply with lukas
- create vm with terraform
- provision it with ansible
- change dns entries to point to reverse proxy
- configure reverse proxy for desired domains
## After Meeting
- schreibe kalkulation fuer die umsetzung
## Ansible
- [ ] change caddy such that it uses existing ssl certs

41
projects/firewall-migrations/hannesRoessler/Prep-previous-SG-FW.md Normal file
View File

@@ -0,0 +1,41 @@
## Time and Space
- Bauerstr. 20
- 19.11.2024:09:00
## FW rules
- no special FW rules configured
### Ports to remember
- 5222 (xmpp or similar)
- 7000
## SSL/TLS inspection
- deactivated in current setup
- when activating on new firewall we will have many problems afterwards
- inform yourself about currently used systems and possible systems
## WAN
- IPv4 gateway: M-net-vdsl, 82.135.16.28, Port2 - 93.104.238.207/255.255.255.255
### PPPoe
- Username: X910931381@mdsl.mnet-online.de
- Password: BZCYWHdA
## Wireless
- AP mac-address: 7c:5a:1c:e4:1b:76
- AP switch port: 40 (shared with others)
- HT-Intern. Pass: NjRkZjFmNTIzMzk5Yzcz
## Switch
- Model: HPE HP 2530-48G Switch
![Switch Mac Addresses](files/hannes_roessler/20241118_switch-mac-addresses.png)

3
projects/firewall-migrations/hans-ostner.md Normal file
View File

@@ -0,0 +1,3 @@
## Notes
- Aruba 254024G password reset of password manager

56
projects/firewall-migrations/hightec/firewall-migration.md Normal file
View File

@@ -0,0 +1,56 @@
## Autotask
- Go to projects and find the customer
- write my times needed for each step into data sheet
## Space and Time
- Space: **Goethestr. 52, 80336 Muenchen**
- Time: **Monday 28.10 - Wednesday 30.10**
## To consider
- From SG to XGS
- recreate config (SG and XGS firmware differ)
- test template
- enforce sbx vlan standard
- APs from Sophos available
- need to be added to Sophos Central
- currently in the SG confiured
- 25 VPN user + ITM own config
- need to download new config via vpn-portal
- write manual for the customer
- up to 1h down possible
## Notes/Todos
- domain: hightec.local
- switches anpassen. vlans schon angelegt
- who is renate goepfert and whats her mail? (because of vpn.) Is she related to ITM?
- ssl inspection cert distribution over ad - DONE
- reset ap on button and include it to sophos central (serial killer: P320056JRR3XVFB)
## passwords
- wlan: hts!356383
- **internet zugang (pppoe): User: X910449160@mdsl.mnet-online.de , Pass: PfpAHNsZ**
- ad bind: user: ldap_sophos, pass: K5(|~H)hD/V[Sg(
## Vor-Ort Notes
- Stromkabel zur USV vergessen
- manager, pass: QFxyFNgKIS
- xgs, pass: gQf=9_7;_+c9^r.>}xZ2R^U]gX>z?B
- printer mac: 00:20:6B:40:E7:C7
### Ports Switch
- 48: Trunk (tagged)
- V10_Server: 11,13,1 (USV)
- MGMT: 12,14
- V70_Phone: 2,8,35
- V20_Client: 5-7,9-10, 15-17, 25,28.30,31,33,34,37-39,42,44,46
- V40_WLAN-Intern,V50_WLAN-Gast: 47(tagged)
- me: 21
- Unidentified: 27,29

16
projects/firewall-migrations/hightec/vpn-portal-manual.md Normal file
View File

@@ -0,0 +1,16 @@
## Einleitung
Dieses Dokument erklaert Ihnen wie Sie Ihren vpn wieder einrichten koennen.
## Rezept
1. Besuchen Sie bitte das VPN-Portal Ihrer Firewall: <https://gw.hannes-roessler.de>
![VPN-Portal-login](files/sophos/vpn-portal-manual_01.png)
2. Melden Sie sich mit Ihren bekannten VPN Zugangsdaten an. Bei erfolgreicher Anmeldung erscheint das folgende Fenster:
![VPN-Portal-loggedin](files/sophos/vpn-portal-manual_02.png)
3. Sofern Sie VPN zuvor auf Ihrem Rechner genutzt haben, sollte der "Sophos Connect Client" bereits auf Ihrem Rechner installiert sein. Wenn nicht, klicken Sie bitte auf einen der beiden Links oben, um den "Sophos Connect Client" auf Ihrem Windows oder MacOS zu installieren. (Intern fuer mich. Alter Sophos Client macht Probleme)
4. Nachdem Sie den "Sophos Connect Client" erfolgreich auf Ihrem Geraet installiert haben, muessen Sie Ihre VPN Konfigurationsdatei runterladen:
![VPN-Portal-config](files/sophos/vpn-portal-manual_03.png)
5. Die heruntergeladene Datei ist eine sogennante .ovpn Datei und muss in Ihren Sophos Connect Client importiert werden. ("import connection" rechts unten im gezeigten Bild)
![VPN-Portal-import](files/sophos/vpn-portal-manual_04.png)
![VPN-Portal-ovpn](files/sophos/vpn-portal-manual_05.png)

BIN
projects/firewall-migrations/sophos-central-template/files/Screenshot 2024-06-17 162614.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 139 KiB

BIN
projects/firewall-migrations/sophos-central-template/files/Screenshot 2024-06-17 162756.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 220 KiB

15
projects/firewall-migrations/sophos-central-template/old/Notes.md Normal file
View File

@@ -0,0 +1,15 @@
Capture here all settings which I done in the template
**Serial Number: C1A1046KXFXKT60**
## Administration
### Device Access
Local service ACL: Close all on WAN Interface except "SSL VPN"
Local service ACL exception rule: Add "sbx_office". Source Network Host: 213.160.17.158; Services: https, ssh; Action: Allow
### Admin and user settings
### Time
Custom ntp server: <de.pool.ntp.org>

23
projects/firewall-migrations/sophos-central-template/old/template-std-structure.md Normal file
View File

@@ -0,0 +1,23 @@
## Templates
### MAIN TEMPLATE
**This template is ALWAYS linked to all customer firewalls and corresponding changes should be done in the template**
_Such a template enforces implicitly a standard configuration which is the same for every fw. _
- Include configs which hold for ALL customers
- These include the following settings:
- Hosts and Services
- Administration
- Web
### New Installations TEMPLATE
- **This template is only used once when configuring a firewall initially**
- could differ for different customers
### Special TEMPLATES
1. VLANs related settings
2. intrinsic commercial sophos security features

14
projects/firewall-migrations/sophos-central-template/std-fw-networks.md Normal file
View File

@@ -0,0 +1,14 @@
## Private
- 192.168.xx.0/24
## VPN
- 10.81.0.0/24
### Rule

13
projects/firewall-migrations/sophos-central-template/std-fw-services.md Normal file
View File

@@ -0,0 +1,13 @@
## ActiveDirectory
- LDAP: 389 (TCP & UDP)
- LDAPS: 636 (TCP)
- Global Catalog: 3268, 3269 (TCP)
- Kerberos: 88 (TCP & UDP)
- Kerberos-Kennwortänderung: 464 (TCP & UPD)
- DNS: 53 (TCP & UDP)
- RPC: 135 (TCP) + Dynamische Ports (4915265535 (TCP))
- SMB: 445 (TCP)
- NTP: 123 (TCP & UDP)
- RAW: 9100 (TCP)

8
projects/firewall-migrations/sophos-central-template/std-sbx-mac.md Normal file
View File

@@ -0,0 +1,8 @@
## TODO
- Alle Mitarbeiter muessen ihre MAC Addresse im Sophos Template hinterlegen.
## Mac Addresses
- Sebastian: WLAN: 50-76-AF-35-0D-6D, LAN: E8-6A-64-73-94-35
- Petar: WLAN: 04-7B-CB-CA-CA-1A, LAN: FC-5C-EE-22-5E-B2

12
projects/kwa/202420_imac-migration.md Normal file
View File

@@ -0,0 +1,12 @@
## Intro
source: KWAiMac03flu
target: KWAiMac27lba
## main
- transfer data from source machine to target
- configure julia stela's profile on source
Temporaeres Passwd fuer Juri: `_qj_I.d}dE\-`

12
projects/kwa/iphone-vpn.md Normal file
View File

@@ -0,0 +1,12 @@
## Sebastian Peter
username: s.peter
mail: sebastian.peter@knoppwassmer.de
password: A{zT)P39TX=EtD:
## Markus Wassmer
username: m.wassmer
mail: markus.wassmer@knoppwassmer.de
password: )NBDNv@(2}tM[a(

11
projects/neosphere/20250502-storage-cluster.md Normal file
View File

@@ -0,0 +1,11 @@
## Issues
- 10 gb network card not recognized; (Intel® Ethernet Network Adapter E810-XXVDA2) either drivers or frimware update required, we guess
## Todo next appt
- [ ] 5 green cable - ilo server
- [ ] 10 kaltgeraetestecker - strom
- [ ] locally mount and setup 3rd computing node
- [ ] REMOTE - 25 GB network card issues - try to install driver or update firmware

60
projects/neosphere/firewall_webfilter-network.md Normal file
View File

@@ -0,0 +1,60 @@
## Intro
Die Sophos Firewall beinhaltet unterschiedliche Security Features. Diese koennen global oder gezielt in Firewall Regeln eingesetzt werden, um Netzverkehr zu filtern und auf Sicherheitsrisiken zu scannen.
In Anlehnung an unsere Erfahrung und unsere technische Einschaetzung, setzen wir diese Sicherheitsfeatures bei Netzwerken ein, bei welchen wir der Meinung sind, dass dies aus Sicherheitsgruenden notwendig ist.
Die vorhandenen Sicherheits Features umfassen die folgenden (die Liste ist nicht erschoepfend, sondern beinhaltet ):
- Intrusion Prevention System
- Web Filter
- Application Filter
- Web Server Protection (Reverse Proxy/ WAF)
Im Folgenden moechte ich diese Features kurz erklaeren, um im Anschluss auf relevante Punkte in diesem Zusammenhang in Ihrer Netzwerkstruktur einzugehen.
Zuvor stellen wir eine Zusammenfassung Ihres Netzwerk auf, auf welche die genannten Security Features wirken.
## Network Infrastructure
In Ihrer Firewall sind die folgenden Netze konfiguriert:
| Name | Interface | Netzwerk |
| --------------- | --------- | ------------------ |
| WAN | Port2-WAN | 192.168.178.254/24 |
| LAN - Internal | Port11 | 192.168.10.254/24 |
| Wlan NEO-Intern | Port11 | 192.168.20.254/24 |
| Wlan NEO-Mobile | Port11 | 192.168.30.254/24 |
| Wlan NEO-Guest | Port11 | 192.168.40.254/24 |
| MGMT Netz | Port11 | 192.168.50.254/24 |
| Server Netz | Port9 | 192.168.60.254/24 |
| Labor Netz | Port10 | 192.168.70.254/24 |
| Telefon Netz | Port11 | 192.168.80.254/24 |
Spaeter gehen wir drauf ein wie die Sicherheitsfunktionen auf die einzelnen Netze angewendet sind.
## Security Features
### Intrusion Prevention System
*Quelle: <https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/IntrusionPrevention/index.html>*
Im Allgemeinen, ueberwacht ein Intrusion Prevention System (IPS) den Netzwerkverkehr auf potentielle Gefahren und blockt diese automatisch, indem es Meldungen raussendet, gefaehrliche Verbindungen unterbricht, boeswilligen Content entfernt oder andere Sicherheitsaktoinen triggert.
Sophos ueberwacht den Verkehr speziell auf Anomalien, um DoS (Denial of Service) Attacken und andere Spoofing (Taeuschung/Verschleirungs) Attacken abzuwehren. Man kann spezifisch Policies setzen, welche Handlungen vorgeben bei zutreffenden Kriterien im Netzwerkverkehr.
### Web Filter
*Quelle: <https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/index.html>*
Web Filter schraenkt den Verkehr ein beim Web Browsing. Es koennen Einschraenkungen gesetzt werden mit _Kategorien_, _URL Gruppen_ und _Datei Typen_, um das Web Browsing zu limitieren.
Dadurch koenne Webseiten komplett geblockt werden oder Warnmeldungen iniziert werden beim Besuch bestimmte Seiten (zum Beispiel das koennen ganze Social Media Plattformen geblockt werden).
### Application Filter
*Quelle: <https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Applications/index.html>*
### Web Server Protection

40
projects/onboarding/onboarding-new-customers/onboarding-checkliste.md Normal file
View File

@@ -0,0 +1,40 @@
## Checkliste
1. Bestimmung softbox interner Ansprechpartner für den Kunden
2. Aufnahme Kundendaten, Einpflegen in Lotus Notes Stammdaten (Kundennummer wird erzeugt)
3. Hinterlegen des Kunden in Autotask mit gebuchten Verträgen, Ansprechpartnern und Kundennummer
4. Netadmin Analyse, Analyse des Schritte, die nötig sind die Umgebung auf Softbox-Standard zu bringen
- Serverhardware
- Switches
- WLAN
- Virtualisierung
- M365
- Backup
- Firewall
- IT-Security
- Bennungsstandard
5. Einrichten Ninja
- Kunden in Ninja anlegen
- Kunden mit Autotask-Kunden verknüpfen
- (wenn vorhanden) Agent auf Servern installieren
- AD-Discovery Job anlegen zum verteilen des Agents auf Clients
6. Dokumentation der Umgebung in IT-Glue
- Befüllen aller Kategorien nötig
7. Onboarding vor Ort
- Fotos in IT-Glue der relevanten Komponenten
- Beschriftung der Systeme
- Standardisierung Patchkabel
8. Abstimmung und Aktivierung Windows Updates
- Serversysteme
- Clientsysteme
9. Installation Sophos Intercept X Advanced, Intercept X Server, Device encryption
- Einrichten SophosCentral
10. Useronboarding:
- Klären zentraler Ansprechpartner vor Ort
- Erklärung und Versand Kontakt Flyer (Siehe Related Items)
- Einrichten Zugang zu IT- Glue und Autotask
11. Einrichten Backup
- Softbox Backup für lokale Systeme
- Softbox Backup für M365
- Veeam
- Test und Übernahme ins Monitoring

52
projects/onboarding/onboarding-new-customers/onboarding-manual-draft.html Normal file
View File

@@ -0,0 +1,52 @@
<h2 id="introduction">Introduction</h2>
<p>Generic manual for onboarding new customers.</p>
<h2 id="important">3 Important</h2>
<ul>
<li>Check customer contract</li>
</ul>
<h2 id="ninjaone">NinjaOne</h2>
<h3 id="devices">Devices</h3>
<ul>
<li>Manual approval</li>
</ul>
<h3 id="credentials">Credentials</h3>
<h4 id="list">List</h4>
<ul>
<li>Set an administrator account (Username/Password) for their domain/local.</li>
</ul>
<h4 id="defaults">Defaults</h4>
<ul>
<li>Set appropriate defaults depending on the customers infrastructure (windows, mac and/or linux in use?)</li>
</ul>
<h3 id="policies">Policies</h3>
<h4 id="agent-policies">Agent Policies</h4>
<ul>
<li>mod Exchange Policies</li>
<li>mod Veeam Policies</li>
</ul>
<h4 id="agent-policies-1">Agent Policies</h4>
<ul>
<li>change all “other” Policies to its specific fields (they start with “zz”)</li>
</ul>
<h3 id="ninja-remote">Ninja Remote</h3>
<p><strong>Enable Integration</strong></p>
<ul>
<li>Check “Ask the end-user for a confirmation before connecting” for <strong>non-servers</strong>
<ul>
<li>Set Confirmation timeout to: 1 min</li>
<li>Check “allow access if the end-user does not answer the timeout…”"</li>
</ul></li>
</ul>
<h3 id="backups">Backups</h3>
<ul>
<li>Let disabled at onboarding</li>
</ul>
<h3 id="autotask-integration-in-ninjaone">Autotask Integration in NinjaOne</h3>
<p>Go to <code>Apps &gt; Installed &gt; Autotask PSA</code> Click on <code>edit</code> at settings. Map the Company names. Its OBVIOUS.</p>
<h2 id="recipe">Recipe</h2>
<ol type="1">
<li>Autotask: Check if Organization is created</li>
<li>NinjaOne: Create Organization and integrate Autotask</li>
<li>IT-Glue: Create Organization and integrate Autotask</li>
<li>Get connection to the companies DC server (if available) and install the Ninja Agent on it.</li>
</ol>

63
projects/onboarding/onboarding-new-customers/onboarding-manual.md Normal file
View File

@@ -0,0 +1,63 @@
## Introduction
Generic manual for onboarding new customers.
## Important
- Check customer contract
- Make always pictures of the infrastructure when on-site
## NinjaOne
### Devices
- Manual approval
### Credentials
#### List
- Set an administrator account (Username/Password) for their domain/local.
#### Defaults
- Set appropriate defaults depending on the customer's infrastructure
(windows, mac and/or linux in use?)
### Policies
#### Agent Policies
- mod Exchange Policies
- mod Veeam Policies
#### Agent Policies
- change all "other" Policies to its specific fields (they start with "zz")
### Ninja Remote
**Enable Integration**
- Check "Ask the end-user for a confirmation before connecting" for
**non-servers**
- Set Confirmation timeout to: 1 min
- Check "allow access if the end-user does not answer the timeout...""
### Backups
- Let disabled at onboarding
### Autotask Integration in NinjaOne
Go to `Apps > Installed > Autotask PSA`
Click on `edit` at settings.
Map the Company names. Its OBVIOUS.
## Recipe
1. Autotask: Check if Organization is created
2. NinjaOne: Create Organization and integrate Autotask
3. IT-Glue: Create Organization and integrate Autotask
4. Get connection to the companies DC server (if available) and install
the Ninja Agent on it.

59
projects/onboarding/onboarding-new-employees/checklist-new-employee.md Normal file
View File

@@ -0,0 +1,59 @@
# On Boarding neuer Mitarbeitenden
**Ziel: Neue Mitarbeitende sollen am ersten Tag eine (diese) Anleitung erhalten mit der sie selbststaendig ihre Arbeitsplatz,-geraete und werkzeuge einrichten und gestallten koennen.**
## Vorarbeit durch Softbox
1. Zugangsdaten und Benutzerkonten einrichten (AD User erstellen(?), Office365, NinjaOne, Autotask, IT-Glue, Crewmeister, Sophos, etc...)
2. Geraet einrichten und bereitstellen
3. Zubehoer bereitstellen (HeadSet, Docking Station, Tastatur, Maus, ....)
## Checkliste fuer neue Mitarbeitende
### Grund Setup
1. Arbeitsplatz Einrichtung und Personalilsierung.
1. Notebook Einrichtung und Anmeldung.
- Basis Einrichtung
- Terminal einrichten
- Neuste PowerShell Version runterladen (`winget install Microsoft.PowerShell` in PowerShell)
- Installation von Addons für die PowerShell (Welche benoetigt wer??)
- Installation von Software, die man benoetigt: [WSL2](https://learn.microsoft.com/en-us/windows/wsl/install),....
- Browser Einrichtung (Chrome, Firefox, Edge)
- Peroehnliche Gestaltung des Laptops (Hintergrund, Farbschema,...)
1. Passwort Managament
- Optional aber empfohlen: Passwort Manager (Zum Beispiel: KeePass, BitWarden, [Andere](https://github.com/pluja/awesome-privacy?tab=readme-ov-file#password-managers),...) fuer Credentials und MFA
- Sonst: MFA faehige Mobile App installieren und einrichten (Google Auth., Microsoft Auth., Authy, [Andere](https://github.com/pluja/awesome-privacy?tab=readme-ov-file#2fa),...)
1. Installation und Anmeldung bei:
- Office365
- Outlook
- Teams (Work Version von Teams)
1. Bereitgestellte Zugangsdaten nutezen zur ersten Anmeldung und Einrichtung von:
- [NinjaOne](https://softbox.rmmservice.eu)
- [IT Glue](https://softbox.eu.itglue.com)
- [Autotask](https://ww18.autotask.net)
- [Crewmeister](https://app.crewmeister.com)
- [Sophos Central](https://central.sophos.com/manage/partner/dashboard)
1. NinjaOne Agent auf eigenem Rechner Installieren
1. Softbox VPN einrichten:
- [User Portal](https://10.100.200.4:4443) besuchen und Sophos Connect Client downloaden
- [VPN Portal](https://10.100.200.4/) besuchen und Konfiguration fuer Sophos Connect Clienten runterladen
1. Jabra Headset einrichten (komische SW)
1. Buero Drucker Einrichten
### "Erste Schritte" fuer Softbox Kern-Software
_Schreibe kurze, pregnante und aussagekraeftige Anleitungen fuer die wichtigsten unserer genutzten Software, um einen eigenstaendigen Einstieg in die Grundprozesse zu ermoeglichen._
1. Crewmeister "How-To"-Anleitung (kurz)
2. Autotask "How-to"-Anleitung (kann sehr ausfuehrlich werden)
3. NinjaOne "First-Steps"-Anleitung
### Auszubildende
Berichtsheft Vorlage von IHK Seite herunterladen (Link??) und anpassen.
(Kopie für jede Woche erstellen, ordnen und Deckblatt ausfüllen)
### Netadmin
- In NinjaOne selbststaending Test-Firma und Test-Geraete hinzufuegen (Anleitung erstellen)

4
projects/project-list.md Normal file
View File

@@ -0,0 +1,4 @@
## List
- [sbx-knowledgebase](/projects/sbx/knowledgebase)

6
projects/radiochemie/opnsense-on-sophosHW-END.md Normal file
View File

@@ -0,0 +1,6 @@
## Open Things
- [ ] Clustering
- [ ] tight Firewall Rules (VPN -> GA)
- [ ] integrate to OPNcentral

6
projects/radiochemie/opnsense-on-sophosHW-HA.md Normal file
View File

@@ -0,0 +1,6 @@
## HA
### Use a XG and a SG?
- Not possible
- For CARP (Common Address Redundancy Protocol) the HW needs to be equal

50
projects/radiochemie/opnsense-on-sophosHW-intro.md Normal file
View File

@@ -0,0 +1,50 @@
## Goals
- 2x WAN - 1 external and 1 internal (GA-Network)
- Static Routing via WANlrz for BACnet SW
- 1x LAN - `10.52.12.0/24`
## Facts
### WAN
> **Note:** Such a setup requires extended considerations and settings which is discussed in [[opnsense-on-sophosHW-multi_wan]].
> WANpub will be the primary WAN port
> WANlrz is temporarily used for the BACnet software and will be disabled after 2-4 months. The Campus-GA network will in future only be reachable by vpn.
#### External WAN
(primary WAN, in future ga netz ueber vpn)
- Network: `129.187.9.243/29`
- Gateway: `129.187.9.246`
- DNS Server: `129.187.104.5` (How reachable?)
#### Second WAN
- `192.157.165.50/24` (Campus GA-Netz, for BACnet SW. 2-4 Months living)
### LAN
- Interne Netzwerke(20241208):
- `10.52.12.0/24` Hauptgebäude GA (VLAN12)
- `10.52.50.0/24` GA-Netz (VLAN50)
- Interne Netzwerke(20241216):
- `10.52.12.0/24` LAN
### Port Forwarding
- BACnet `47808/udp`
### OpenVPN
- Set up for access to GA network
### Location
- FRM Versorgungsgebaeude
## Vor Ort Einsatz
- port forwarding in both direction to second esxi nic
- <https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense>

17
projects/radiochemie/opnsense-on-sophosHW-multi_wan.md Normal file
View File

@@ -0,0 +1,17 @@
## Specific
In our setup we won't use Failover as the second WAN is primarily such that it has access to the Campus GA-network (`192.157.165.0/24` ? )
## General
### Multi WAN
Multi WAN scenarios are commonly used for failover or load balancing, but combinations are also possible with OPNsense.
#### Configure Failover
To setup Failover the following steps need to be taken:
1. Add monitor IPs to the gateways
2. Add a gateway group
3. Configure DNS for each gateway
4. Use policy based routing to utilize our gateway group
5. Add a firewall rule for DNS traffic that is intended for the firewall itself

3
projects/radiochemie/opnsense-on-sophosHW-ressources.md Normal file
View File

@@ -0,0 +1,3 @@
- [multi-wan](https://docs.opnsense.org/manual/how-tos/multiwan.html)
- [hacarp](https://docs.opnsense.org/manual/hacarp.html)
- [carp](https://docs.opnsense.org/manual/how-tos/carp.html)

1
projects/radiochemie/ovpn-mixed-otp.md Normal file
View File

@@ -0,0 +1 @@
erstelle einen separaten nutzer fuer externe Besucher der TUM, welcher mit otp eingestellt ist fuer die Authentifizierung.

11
projects/sbx/20241211-Max-Meeting-Kerio2M365.md Normal file
View File

@@ -0,0 +1,11 @@
## Notes
- max tested already the migration with a test mailbox
- test next the migration of some (public) project folders
## teams phone
- do it after the mail migration
- upgrade and not a downgrade

104
projects/sbx/disney-workshop.md Normal file
View File

@@ -0,0 +1,104 @@
The Disney Method is a structured brainstorming technique that uses three distinct perspectives—**the Dreamer, the Realist, and the Critic**—to develop and refine ideas. Here's a workshop plan tailored to an MSP dealing with automation, standardization, and improving efficiency for companies with 20-30 employees:
---
## **Workshop Plan: Disney Method for MSP Process Improvement**
### **Preparation**
- **Duration**: 4-5 hours (including breaks)
- **Participants**: Include key employees from management, tech teams, and support teams to ensure diverse perspectives.
- **Materials**:
- Whiteboards, sticky notes, markers
- Large paper for mapping ideas
- Timer
- Projector (if needed for presentations)
- **Environment**: Arrange the space into three distinct zones or corners (labeled Dreamer, Realist, and Critic).
---
### **Agenda**
#### **1. Introduction (15 minutes)**
- **Objective**: Explain the goals of the workshop and the Disney Method.
- Share the current challenges (automation, standardization, efficiency).
- Define success: actionable, realistic solutions.
- **Icebreaker**: Quick activity to build rapport (e.g., "What's one innovation you love and why?").
---
#### **2. Stage 1: The Dreamer (45 minutes)**
- **Purpose**: Generate bold, creative ideas without limitations or concerns.
- **Setup**:
- Move participants to the *Dreamer Zone*.
- Ask them to imagine an ideal version of the company where everything is perfect.
- **Prompt Questions**:
- "What does a fully automated and standardized MSP look like?"
- "What if we had infinite resources—how would we solve our process issues?"
- "What would be the most exciting thing we could offer our customers?"
- **Activity**:
- Brainstorm ideas in groups.
- Write down every idea (no evaluation!).
- **Output**: A large pool of ideas.
---
#### **3. Stage 2: The Realist (1 hour)**
- **Purpose**: Refine the ideas into practical, actionable solutions.
- **Setup**:
- Move participants to the *Realist Zone*.
- Review the ideas generated in the Dreamer stage.
- **Prompt Questions**:
- "How can we implement this idea step-by-step?"
- "What resources do we need, and what resources do we have?"
- "Which ideas can be executed within our current constraints?"
- **Activity**:
- Split into small teams, each working on 2-3 Dreamer ideas.
- Develop actionable plans, timelines, and resource requirements.
- **Output**: A set of actionable plans for the most promising ideas.
---
#### **4. Stage 3: The Critic (1 hour)**
- **Purpose**: Identify risks, challenges, and weaknesses in the plans.
- **Setup**:
- Move participants to the *Critic Zone*.
- Examine the actionable plans developed in the Realist stage.
- **Prompt Questions**:
- "What could go wrong with this idea?"
- "Are there more efficient alternatives?"
- "How can we mitigate these risks?"
- **Activity**:
- Groups present their plans.
- Other participants play the role of the critic and provide constructive feedback.
- Revise plans based on feedback.
- **Output**: Polished and realistic action plans.
---
#### **5. Synthesis & Action Plan (45 minutes)**
- **Purpose**: Consolidate the best ideas into a strategic roadmap.
- **Activity**:
- Prioritize ideas based on impact and feasibility.
- Assign ownership to key team members for each initiative.
- Set timelines for implementation.
- **Output**:
- A finalized action plan, ready for execution.
---
#### **6. Closing & Next Steps (15 minutes)**
- Summarize the outcomes of the workshop.
- Gather feedback from participants.
- Share follow-up plans, including timelines and responsibilities for implementing ideas.
---
### **Post-Workshop Follow-Up**
- **Document outcomes**: Share a summary with participants and stakeholders.
- **Schedule check-ins**: Regular meetings to review progress on implementation.
- **Celebrate wins**: Acknowledge milestones and successes to maintain momentum.
---
This approach ensures balanced creativity, practicality, and critical thinking to address your company's challenges effectively.

42
projects/sbx/knowledgebase.md Normal file
View File

@@ -0,0 +1,42 @@
## Introduction
Our current knowledgebase is very unorganized. And nobody knows where to find something.
So the idea is to completely restructure the folder structure.
## Idea
- Put everything existing into an folder `/old`
## Hannah's Pre-Work
### Layout an Beta orientiert
Allgemeine Ordner Struktur:
Standardordner:
- Backup: (Veeam)
- Drucker: (Scanner…)
- Firewall:
- Sophos (XG)
- VPN (PSK, Site2Site)
- Internet/Provider: (Telekom, 1&1)
- WLAN (Pre-Shared Key)
- Mail: (M365, O365, CI-Sign, User E-Mails, SBX-Support)
- Server: (MSA, SVN)
- ILO
- Switche
- VM-Ware
- Systemgeräte: (Türklingel, Türschließanlagen, Monitoring, ISO, Softbox Handy)
- NAS
Firma spezifisch:
- Standorte (Nürnberg, Olching etc.)
- Telefonie
- Apple
- Programme/Dienste: Adobe, Anmeldungen, nextcloud, zoom, TeamViewer, ClickShare, Dark Trace
- (User Geräte): Produktkey, (Monitoring) AD
- Lokale windwos benutzer
- Offene Passwörter die man sortieren könnte: BETA
- Apple
- (Office)

18
projects/sbx/raci_matrix-automation.md Normal file
View File

@@ -0,0 +1,18 @@
## Zyklisch
- Temp Folder regelmaessig loeschen; sowohl Windows und Mac. Linux macht sowas selber
- Unuetze Daten regelmaessig loeschen, die sich aber ansammeln; Download Ordner, Papierkorb, sonstiges (muss mit Kunden geklaert werden)
-
## Neu
- [sophos-vpn-provisioning](https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConConfigureProvisioningFile/index.html)
- PXE Boot im Buero
- Windows init Installation Automatisierung bei Faellen wo Intune nicht geht:
- Powershell Desired State Configuration (declarative)
-

21
projects/sbx/raci_matrix-monitoring.md Normal file
View File

@@ -0,0 +1,21 @@
## Zyklische Aufgaben
- An Patch/Update Tagen alle fehlgeschlagenen Patches/Updates ueberpruefen
-
## Optmierung bestehender Systeme
### Backup Monitoring
Bestimmte Geraete/Services lassen sich nicht optimal in unsere bestehende Monitoring Loesung integrieren (aktuell NinjaOne).
Dies betrifft nach aktuellem Wissensstand:
- Veeam Backup Status Meldungen und Backup Reports
- Synology Hyper Backup (Ist keine native Syn Applikation, weshalb SNMP nicht dafuer unterstuetzt wird von Syn)
- Statusmeldungen zu nativen Synology Funktionen/Eigenschaften wie automatischen Updates, fehlenden Updates, Probleme bei Festplatten koennen ueber SNMP integriert werden, aber das Monitoring und die Benachritigung sind nur suboptimal.
Diese Systeme sind kritisch und Ihre Dysfunktionalitaet kann zu grossen Problemen fuehren.
Daher muessen wir eine Monitoring Loesung findnen, welche uns mindenstens sofort Benachrichtigt, wenn es zu kritischen Problemen bei diesen Systemen kommt.
### NinjaOne
- Alle fehlgeschlagenen Windows Updates ueberpruefen und die Fehler manuell bereinigen. Wenn die Updates wieder fehlschlagen, herausfinden warum dies geschieht. Damit dies nachhaltig zuverlaessig funktioniert. Es kann nicht sein, dass wir standardmaessig ueber 100 Meldungen haben bei denen OS Patches fehlgeschlagen sind.

9
projects/sbx/sbx-host-update-cycle.md Normal file
View File

@@ -0,0 +1,9 @@
Softbox has a general update cycle:
| Host | Cycle |
| --------------- | ------------------------- |
| Windows Clients | 3rd Thu of each Month |
| Linux/Win Server | 3rd Sat of each Month at 2:00 am |
| Linux Server | scan every day at 1:30 pm |
which is directed to [[windows-update-cycle]].

42
projects/sbx/sbx-linux-server-status.md Normal file
View File

@@ -0,0 +1,42 @@
A table of linux machines showing their OS, existence of unattended-upgrade config files, auto-update and -upgrade status and uptimes (changes dynamically)
Some linux hosts are missing which have been added to a later time. (date of creation: 2024-03-15)
| Device | Organization | OS | unattended disabled | Manual update and reboot | Comment |
| -------------------- | -------------------------- | ------------------- |:-------------------:|:------------------------:| ------------------------ |
| beta-srv-svn01 | Beta Film | Ubuntu 22.04.2 LTS | 1 | yes | n/a |
| bzt-srv-app01 | BZT | Ubuntu 20.04.3 LTS | 0 | | n/a |
| cloud | Softbox | Ubuntu 22.04.4 LTS | 0 | | n/a |
| cloud | BVV | Ubuntu 20.04.6 LTS | 0 | | n/a |
| gg-dmz-cloud01 | Gym Gruenwald | Ubuntu 22.04.2 LTS | 0 | yes | n/a |
| gg-dmz-web01 | Gym Gruenwald | Ubuntu 20.04.3 LTS | 0 | yes | n/a |
| git | Phytron | Ubuntu 20.04.6 LTS | 0 | | n/a |
| gitlab | BVV | Ubuntu 22.04.2 LTS | 0 | | n/a |
| grav | Gymnasium Grünwald | Debian 11 GNU/Linux | 0 | yes | n/a |
| mac-srv-gl01 | MACCON GmbH & Co. KG | Ubuntu 20.04.2 LTS | 0 | | n/a |
| mac-srv-nc01 | MACCON GmbH & Co. KG | Ubuntu 22.04.4 LTS | 0 | | n/a |
| mahara.vhs-bayern.de | BVV | CentOS ?? | 0 | | n/a |
| mail-gw1 | BVV | Ubuntu 20.04.6 LTS | 0 | | n/a |
| moodle | BVV | Ubuntu 16.04.7 LTS | 0 | | Linux Policy |
| mn-cloud-01 | maier.neuberger | Ubuntu 20.04.3 LTS | 0 | yes | n/a |
| neo-srv-ubt01 | NEOsphere Biotechnologies | Ubuntu 22.04.4 LTS | 0 | | Gitlab key error |
| neo-srv-ubt02 | NEOsphere Biotechnologies | Ubuntu 22.04.4 LTS | 0 | | Gitlab key error |
| nextcloud | 03 Arch. GmbH | Ubuntu 22.04.2 LTS | 0 | | n/a |
| nextcloud | Heilmaier | Ubuntu 18.04.6 LTS | 0 | | n/a |
| ns2 | BVV | Ubuntu 20.04.6 LTS | 0 | | dns server. DO NOT TOUCH |
| peb | BVV | Ubuntu 20.04.6 LTS | 0 | | n/a |
| pve (NO UPDATES) | Softbox | Debian GNU/Linux 12 | 0 | | Linux Policy |
| rproxy2 | BVV | Ubuntu 20.04.6 LTS | 0 | | n/a |
| SRV-APP04 | Allude | Ubuntu 16.04.5 LTS | 0 | | n/a |
| st20mapp-p016 | studio2010 GmbH & Co KG | Ubuntu 22.04.4 LTS | 0 | | DO NOT TOUCH |
| st20mapp-p017 | studio2010 GmbH & Co KG | Ubuntu 22.04.4 LTS | 0 | | DO NOT TOUCH |
| sv-dmz-nc-1 | Grundschule Grasslfing | Ubuntu 22.04.4 LTS | 0 | yes | n/a |
| vzby-srv-web01 | Verbraucherzentrale Bayern | Ubuntu 22.04.2 LTS | 0 | yes | n/a |
| web4 | Softbox | Ubuntu 22.04.4 LTS | 0 | | n/a |
| web5 | Softbox | Ubuntu 22.04.4 LTS | 0 | | n/a |
| wiki | 03 Arch. GmbH | Ubuntu 22.04.2 LTS | 0 | | n/a |
| Z-CLOUD-01 | Phytron GmbH | Ubuntu 22.04.3 LTS | 0 | yes | n/a |
| z-jira | Phytron GmbH | Debian GNU/Linux | 0 | yes | n/a |
Notes:
- 22.03.24 - sv-dmz-nc-1: after the update of mariadb, mariadb wouldnt start again. Had to manually change `/etc/mysql/mariadb.conf.d/50-server.cnf` file. See <https://github.com/MariaDB/mariadb-docker/issues/560>

5
projects/sbx/sbx-myrules.md Normal file
View File

@@ -0,0 +1,5 @@
## Rules to follow
- Keep Autotask updated: Every Evening
- Be at 8 o'clock in the office!
- Less procrastination

4
projects/sbx/sbx-proxmox-test-server.md Normal file
View File

@@ -0,0 +1,4 @@
mac-address:
- 00:19:99:b9:9a:a2 of interface enp8s0f0
- 00:19:99:b9:??:?? of interface enp8s0f1

14
projects/sbx/sbx-unattendedWinstall.md Normal file
View File

@@ -0,0 +1,14 @@
## Source
- [unattended Winstall - Github](https://github.com/memstechtips/UnattendedWinstall)
- [answer files](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11)
- [unattended-generator](https://schneegans.de/windows/unattend-generator/)
## Meeting Michael (17.01.2025)
The steps we want to implement:
1. Win 11 OS autoinstall - the idea is to use Microsoft's own "Answer files"
2. AD coupling - it probably possible to also use the Answer files for this
3. Ninja Agent Installation - again, use answer file
4. SW Installation - User NinjaOne
5. OS and SW Configuration and Personalization - Use NinjaOne

14
projects/ssr-kwa/Tickets-20240704.md Normal file
View File

@@ -0,0 +1,14 @@
List of tickets/tasks to consider for the appointment at the 4th of July 2024:
| Number | Title | short description | company |
| -------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ------- |
| T20240627.0021 | Mail accounts | specific Subscription for projects desired | kwa |
| T20240627.0021 | AirDrop von iPad auf Rechner | AirDrop only function unidirectional | kwa |
| T20240624.0011 | VPN am Handy und iPad einrichten | for mobile devices we need the preshared key for ipsec to function. PSK missing. Probably we will set new one | kwa |
| T20240701.0047 | 2 MacBooks einrichten | | ssr |
| T20240702.0019 | Vor-Ort Support | std macbook setup. write manual for it | ssr |
| T20240619.0035 | Apple Mail-Programm: Implementierung von 2 externen Mail-Serverprogrammen | inlcude mail accounts into mail client | ssr |
| T20240612.0021 | Ninja-Onboarding | 2 Mitarbeiterinnen haben Ninja noch nicht auf ihren Rechnern | ssr |
| T20240611.0054 | Problem Projekt Pro | PP not working. Seems to be a general Problem. Mr. Schneider-Zimmer contacted the PP support. | ssr |
| T20240611.0020 | Speicher fast voll | delete unnecessary stuff. Jan planned an appointment for next week. | ssr |

52
projects/ssr-kwa/buero-umbau/20240210-Umzug-Planung.md Normal file
View File

@@ -0,0 +1,52 @@
## Notes
- imac backup und einrichten
- telefonie
-
## Equipment
- Etikettiergeraet
- 4/5-Port Switch
- 8-Port Switch falls andere nicht geht
- LAN-Kabel
## WLAN KWA
- Fuege Grundriss in Unifi hinzu und schaetze optimale AP Position
## Neue Insel 1 im grossen Saal
- Neuer Arbeitsplatz: bestehende 24 Port Switch hernehmen + ein 4/5-Port Switch
- pruefe funktionsweise der alten Switch. Nehme Notfall Switch mit
- Tische Verkabeln
## Patch Switch Kabel Zuordnung
### Insel 1 KWA
| Label Patchpanel | Label Switch |
| ---------------- | ------------------- |
| 13 | 28 |
| 14 | 30 | Geht nicht
| 15 | 32 |
| 16 | 34 |
| 17 | 36 |
| 18 | 3 (SSR AP draussen) |
| 19 | 38 |
| 20 | 40 |
### Insel 3 SSR
| Label Patchpanel | Label Switch |
| ---------------- | ------------- |
| 31 | 24 |
| 32 | 12 |
| 33 | 13 |
| 34 | 14 |
| 35 | 15 |
| 36 | 23 (Telefon) |
| 37 | 16 |
| 38 | not connected |

32
projects/ssr-kwa/buero-umbau/20240918_Meeting_First-Step-Umbau.md Normal file
View File

@@ -0,0 +1,32 @@
Kleiner Umbau am Do 03.10 - So 06.10.
## ToDos
* Wechsel Insel 1. und 3. (low Prio):
- Main: Patching anpassen
- Pruefe _zuvor_ das Labeling der Leitungen
- Am besten am 02.10 druchfuehren, so dass am 07.10 mit neuer Platzverteilung gearbeitet werden kann
- Insel 1, Labeling PatchPanel: 13-20, Labeling Switch:
- Insel 2, Labeling PatchPanel: 5-12, Labeling Switch:
- Insel 3, Labeling PatchPanel: 31-38, Labeling Switch:
- Insel 4, Labeling PatchPanel: 23-30, Labeling Switch:
* Neue "Insel 1" von SSr (siehe Plan unten) braucht Internet:
- 3 Kabel laufen an alten Insel 4 vorbei und laufen zu "PLAN rueber"
- Kabel bei alten Insel 4 freilegen und freie Ports an Patchpanel zum Serverraum koppeln
- Kabelzuordnung muss geklaert werden
- Wo enden Kabel bei neuer "Insel 1"?
- Switch u. AP bei neuer "Insel 1", damit 6 Plaetze Internet haben
* Neuer AP fuer Flaechendeckende Abdeckung
- Plane anhand bestehender Draufsicht und Groessenangaben
- Welcher AP? (Unifi, Ruckus, sonst.)
* Verkabelung nachvollziehen
- Patchpanel zu Tischen ist klar (Label)
- Patchpanel zu Switch nicht klar (Kabelsalat)
- orangene Wandkabel laufen alle(?) zu Patchpanel in Serverrack von KWA (wird Trennung erschweren)
## Bueroplaene
![SSR](ssr/ssr-after-umbau-plan.pdf)
![KWA](kwa/kwa-after-umbau-plan.pdf)

19
projects/ssr-kwa/buero-umbau/20240918_meeting-oli.md Normal file
View File

@@ -0,0 +1,19 @@
## Abrechnung
- Einrichtung Laptops als Projekt buchen
## SSR/KWA
- Zur Not Kabel uebers Fenster aussen am Balkon fuehren
- unifi access point ok
- suche 8 Port Switch im Buero
## TU Web Server
- Install DokuWiki
## NeuKunde
- 10 - 15 Mitarbeiter
- Nutzen nur Macs
- Betreuen IBM GrossRechner

37
projects/ssr-kwa/buero-umbau/20240925-Einsatz-Kabellegung.md Normal file
View File

@@ -0,0 +1,37 @@
## Notes
- naechster termin: 02.10: Inseltausch 1 <-> 3 (labelgeraet mitnehmen)
- Neuer Arbeitsplatz: bestehende 24 Port Switch hernehmen + ein 4/5-Port Switch
- Am besten Tische mit Kabelfuehrung und Unterfach
- Ueberlegung Telefone abzuschaffen und teams zu nutzen
- altes Insel 1 ein Lan Kabel beschaedigt?
-
## Patch Switch Kabel Zuordnung
### Insel 1 KWA
| Label Patchpanel | Label Switch |
| ---------------- | ------------------- |
| 13 | 28 |
| 14 | 30 |
| 15 | 32 |
| 16 | 34 |
| 17 | 36 |
| 18 | 3 (SSR AP draussen) |
| 19 | 38 |
| 20 | 40 |
### Insel 3 SSR
| Label Patchpanel | Label Switch |
| ---------------- | ------------- |
| 31 | 24 |
| 32 | 12 |
| 33 | 13 |
| 34 | 14 |
| 35 | 15 |
| 36 | 23 (Telefon) |
| 37 | 16 |
| 38 | not connected |

10
projects/ssr-kwa/buero-umbau/Inital.md Normal file
View File

@@ -0,0 +1,10 @@
## Netzwerkumstrukturierung
- Firewall (Kerio -> Sophos) und Access Points (-> Ruckus) dieses Jahr tauschen
- Switche und Rest naechstes Jahr
- Mit neuer Firewall Netzwerk umstrukturieren mit VLANs (mgmt, gast, intern)
## AP options
- <https://eu.store.ui.com/eu/en?search=mesh&category=all-wifi> "AC Mesh" recommended
- Ruckus thing

21
projects/ssr-kwa/einsatz-20240715.md Normal file
View File

@@ -0,0 +1,21 @@
## Notes
### SSR/KWA next appointment
- IPhone setup for annika luedeke
- MacBook Setup for annika luedeke (MICHAEL)
- VPN on all iOS devices
- Mailboxes problem -> skip because there is a project to migrate to m365
- AirDrop test if issue is resolved
### SSR Apple id business manager
- managed Account: vpp-ssr@studio-stadt-region.de
- all other deprecated.
### iOS setup
Needed:
- Mail config
- Filewave integration
- VPN setup

11
projects/ssr-kwa/licenses.md Normal file
View File

@@ -0,0 +1,11 @@
## KWA/SSR
| Name | Manufacturer | Expiration | Admin |
| ------------------------- | -------------- | ---------- | ----- |
| iLO Advanced | HPE | Permanent | sbx |
| vCenter | VMWare vSphere | | sbx |
| vCenter Server Essentials | VMWare vSphere | | sbx |
| vSphere 7 Essentials | VMWare vSphere | | sbx |
| vSphere Essentials | VMWare vSphere | | sbx |
| Vectorwrx rlm_server | Vectorworks | Permanent | sbx |
| Mailstore | Mailstore? | n/a | griD |

13
projects/ssr-kwa/mail-migration/202410_Meeting-MailMigration.md Normal file
View File

@@ -0,0 +1,13 @@
## Notes
- Kalendar und Kontakte migrieren
- Oeffentliche Ordner migrieren abgesehen von alten Projekten
- Nutzer Postfaecher mitmigrieren
- Lizenzen von altem Dienstleister auf uns uebertragen
- outlook in filewave kiosk integrieren, sodass es jeder runterladen kann
- kerio connect kuendigen nach der Migration. Lizenz Uebertragung pruefen
- aktuelle m365 Lizenz: Bussines Standard. Reicht erst mal aus
- Angebot schicken zu neuen Lizenzen
- pruefen wie voll die einzelnen Postfaecher sind

23
projects/ssr-kwa/mail-migration/20250206-KWA-Meeting.md Normal file
View File

@@ -0,0 +1,23 @@
## Teilnehmer
- Nina Schiffel
- Sebastian Peter
- Maximilian Kriesmair
- Petar Cubela
## Terminbeschluss
- KW9: 24.02 - 26.02
## Notizen
- 2 Raeume als 'Kontakte'
- Wo sind Kontakte abgelegt?

12
projects/ssr-kwa/mail-migration/ssr-mail-migration-meeting-max-20240808.md Normal file
View File

@@ -0,0 +1,12 @@
## Links
- https://support.kerioconnect.gfi.com/hc/en-us/articles/360015196179-Migrating-Content-from-Kerio-Connect-to-Another-Platform
- https://www.recoverytools.com/kerio/migrator/buy.html
##
## Timing
- KWA: Im Oktober
- SSR: so schnell wie moeglich

28
projects/ssr-kwa/manual/Checkliste-apple-geraete.md Normal file
View File

@@ -0,0 +1,28 @@
## iPhone
- <https://mail.studio-stadt-region.de> besuchen - oder analog fuer kwa - und UNTER der login maske "profil runterladen" anklicken und anmelden ==> dies synced CalDAV, CardDAV, WebDAV aufs Handy
- VPN einstellen - Lokalen User im Kerio anlegen und Berechtigung fuer VPN geben. Am Handy in nativen VPN Einstellungen anlegen mit Typ: L2TP
## MacBook
### Checkliste
1. Mail Postfach anlegen (In Kerio Connect User anlegen)
1. Nutzer Profil in AD anlegen (In Univention User anlegen)
1. Nutzer Profil am Mac anlegen (Lokalen User an Mac Book anlegen)
1. iCloud (Sie erstellen selber ein iCloud Acc)
1. In M365 User anlegen und mit Lizenz versehen (Iwas mit Bussines-teuer-und-unverschaemt)
1. Mail Client (imap und smtp. Server: `mail.<domain.de>`, Credentials: Siehe Punkt 1.)
1. Calendar Config (manuell CalDAV. Server: `mail.<domain.de>`, Credentials: Siehe Punkt 1. )
1. Filewave Kiosk Client (https://kb.filewave.com/books/downloads/page/filewave-version-1542)
1. BusyContacts (manuell CardDAV. Server: `mail.<domain.de>`, Credentials: Siehe Punkt 1. )
1. icloud raumkalendar hinzufuegen (siehe IT-Glue. MFA otp auf sbx Smartphone)
1. NinjaOne Client (U know it)
1. Kerio VPN Client (Filewave Kiosk)
1. Projekt Pro (FileMaker Pro aus Filewave Kiosk. Projekt Pro ueber FileMaker einrichten und oeffnen bis zum Anmeldefenster)
1. Vectorworks (Filewave)
1. Microsoft Word/Excell/Powerpoint installieren und testen
1. Druckertreiber runterladen
https://eu.ninjarmm.com/agent/installer/665ef278-986b-4969-b436-26b1b254d6d5/studiostadtregionarchitekturstadtentwicklunghauptsitz-6.0.1816-installer.dmg

22
projects/ssr-kwa/manual/iphone-onboarding.md Normal file
View File

@@ -0,0 +1,22 @@
## Intro
Here, we shortly summarize how to onboard an iPhone.
### CheckList
- mail
- cal
- busycontacts
- teams
- vpn
## Mail, Contacts, Calendar
Follow:
- [Kerio Anleitung](https://manuals.gfi.com/en/kerio/connect/content/email-clients/mobile-devices/synchronizing-your-iphone-with-kerio-connect-251.html)
## Kerio VPN
1. Create a local user on the Kerio Firewall specific for VPN usage. Usage of the VPN has to be enabled explicitly.
2. Follow: <https://support.keriocontrol.gfi.com/hc/en-us/articles/360015189519-Configure-VPN-on-iOS-and-Android-devices>. (L2TP with Pre-Shared Key)

3
projects/ssr-kwa/manual/kerio-vpn-apple-silicon.html Normal file
View File

@@ -0,0 +1,3 @@
<h2 id="problem">Problem</h2>
<p>On apple silicon hardware the Kerio VPN service is not enabled natively. Third party kernel extensions have to be enable on Apple silicon-based Macs.</p>
<p>Follow this <a href="https://macsupport.tuxera.com/hc/en-gb/articles/4409208805522-How-do-I-enable-third-party-kernel-extensions-on-Apple-silicon-based-Macs">guide</a>.</p>

5
projects/ssr-kwa/manual/kerio-vpn-apple-silicon.md Normal file
View File

@@ -0,0 +1,5 @@
## Problem
On apple silicon hardware the Kerio VPN service is not enabled natively. Third party kernel extensions have to be enable on Apple silicon-based Macs.
Follow this [guide](https://macsupport.tuxera.com/hc/en-gb/articles/4409208805522-How-do-I-enable-third-party-kernel-extensions-on-Apple-silicon-based-Macs).

75
projects/ssr-kwa/manual/smb-server-centos.md Normal file
View File

@@ -0,0 +1,75 @@
## Ressources
- <https://wiki.archlinux.org/index.php/samba#Server>
- <https://wiki.archlinux.org/title/Samba#Client>
## Intro
As is often the case the [Arch Wiki](https://wiki.archlinux.org/index.php/samba#Server) has a fantactically detailed entry on setting up and configuring a samba server.
## Simple Config
Login at the server which should act as the samba server.
- First, install samba:
```sh
yum check-update && yum install samba
```
- Next, modify/create a file at `/etc/samba/smb.conf` with the following contents (adapt this for your needs):
```sh
[global]
workgroup = SAMBA
server string = petar
security = user
guest ok = yes
map to guest = Bad Password
log file = /var/log/samba/%m.log
max log size = 50
printcap name = /dev/null
load printers = no
# Install samba-usershares package for support
include = /etc/samba/usershares.conf
[Share]
comment = Folder to share
path = /path/to/share
browseable = yes
read only = no
guest ok = no
```
- Samba requires setting a password separately from that used for login. You may use an existing user or create a new one for this purpose.
```sh
smbpasswd -a sbxadmin
```
- Existing samba users can be listed with:
```sh
pdbedit -L -v
```
- Once finished, ensure the samba service is restarted with:
```sh
systemctl restart smbd
```
## Security config on server
### Firewalld
- CentOS uses as standard local firewall `firewalld`.
```sh
firewall-cmd --permanent --add-service={samba,samba-client,samba-dc} --zone=public
```
### SELinux
SELinux not allow samba to access folders by default, to solve this, run:
```sh
setsebool -P samba_export_all_ro 1
```
## Client
Depends on client OS. Just use Windows. Noob!

33
projects/ssr-kwa/projekt-datenschutz/20240909-meeting-datenschutzbeauftragter.md Normal file
View File

@@ -0,0 +1,33 @@
## Intro
Meeting mit Stephan Krischke
## Zukunft
- Serverraeume sollen getrennt werden (sobald 3. Partei ausgezogen sind)
- Strikt getrennte Bueros
- Sicherheits Standards pruefen bei Office365. Welche Daten sollen einsehbarsein?
## Schutz
- Keine Wasserleitung
- Absperrbarer Schrank
- Schlechte Belueftung durch gekippte Fenster
- Bueros muessen strikt getrennt sein
- Es kann einfach Zugang zum Serverraum ueber das Fenster erlangt werden
- Rauchmelder kombiniert mit Temperaturmelder
## Mail
- Spamschutz fuer Microsoft365
- Defender nutzen, um abgesichert zu sein.
## AD
- Wie werden Passwoerter gesetzt?
## Needed
- Graphischer Netzwerkplan
- Backup Plan. Was wird wann gebackupt und wie oft? Backup im eigenen VLAN. Minimal 3-2-1. Am besten 3-2-1-0-0 (VLAN)

76
projects/ssr-kwa/projekt-datenschutz/backup-scheme.md Normal file
View File

@@ -0,0 +1,76 @@
## Synology
### Storage
Die Synology hat zwei Storage Pools fuer verschiedene Zwecke.
Diese haben folgende Eigenschaften:
Storage Pool 1:
- RAID5 aus 3 HDDs mit je 7.3 TB (effektiv)
- Totale Kapazitaet von 14.5 TB
- Vierte HDD als "Hot Spare Drive" mit 7.3 TB
- SSD Cache mit zwei SSDs in einem RAID1
- Wird (in der Regel) genutzt als Dateienablage
Storage Pool 2:
- Synology Hybrid RAID mit zwei HDDs mit je 14.6 TB ("With data protection for 1-drive fault tolerance)
- Totale Kapazitaet von 14.5 TB
- Wird (in der Regel) genutzt als Ablage fuer Backups
### Ordner
Folgende Ordner liegen im Storage Pool 1:
- `SSR-750-BBSR-IBA'
- `SSR-ADMINISTRATION'
- `SSR-ARCHIV'
- `SSR-DATEN'
- `SSR-DATEN-AR'
- `SSR-DATEN-SE'
- `SSR-IT'
- `SSR-MITARBEITER'
- `SSR-PROJEKT-PRO'
Folgende Ordner liegen im Storage Pool 1:
- `SSR-BACKUP-INTERN`
- `SSR-BACKUP-KERIOCONNECT`
- `SSR-BACKUP-MAILSTORE`
- `SSR-TIME-MACHINE`
- `SSR-VM-BACKUP`
## Local Backup
### VMs
- Taeglich zwischen 4 Uhr und 5 Uhr morgens
- via "Active Backup for Business" ein Backup jeder VM
- Abgelegt im Ordner `/SSR-VM-BACKUP/ActiveBackupData/` im Storage Pool 2
### Ordner Backups
Von folgenden Ordnern wird ein lokales Backup gemacht von Storage Pool 1 nach Storage Pool 2:
- `SSR-ADMINISTRSTION` -> `/SSR-BACKUP-INTERN/SSR-ADMINISTRATION-BACKUP`
- `SSR-ARCHIV` -> `/SSR-BACKUP-INTERN/SSR-ARCHIV-BACKUP`
- `SSR-MITARBEITER` -> `/SSR-BACKUP-INTERN/SSR-COLLECT-BACKUP`
- `SSR-DATEN-AR` -> `/SSR-BACKUP-INTERN/SSR-DATEN-AR-BACKUP`
- `SSR-DATEN-AR` -> `/SSR-BACKUP-INTERN/SSR-DATEN-AR-BACKUP`
- `SSR-DATEN` -> `/SSR-BACKUP-INTERN/SSR-DATEN-BACKUP`
- `SSR-IT` -> `/SSR-BACKUP-INTERN/SSR-IT-BACKUP`
- `SSR-PROJEKT-PRO` -> `/SSR-BACKUP-INTERN/SSR-PROJEKTPRO-BACKUP`
Diese Backups werden taeglich (abgesehen vom Backup des SSR-ARCHIV Ordners, welches einmal die Woche stattfindet) durchgefuehrt. Einmal im Monat wird Daten Integritaets Check durchgefuehrt.
## Cloud Backup
Von folgenden Ordnern wird ein Cloud Backup(C2 Storage von Synology) gemacht von Storage Pool 1:
- `SSR-ADMINISTRSTION, SSR-IT` -> `/C2-SSR-ADMINISTRATION-IT-BACKUP`
- `SSR-ARCHIV` -> `/C2-SSR-ARCHIV-BACKUP`
- `SSR-DATEN-AR` -> `/C2-SSR-DATEN-AR-BACKUP`
- `SSR-DATEN-SE, SSR-750-BBSR-IBA` -> `/C2-SSR-DATEN-SE-BACKUP`
- `SSR-DATEN` -> `/C2-SSR-DATEN-BACKUP`
- `SSR-BACKUP-KERIOCONNECT` -> `/C2-SSR-KERIOCONNECT-BACKUP`
- `SSR-BACKUP-MAILSTORE` -> `/C2-SSR-MAILSTORE-BACKUP`
- `SSR-PROJEKT-PRO` -> `/C2-SSR-PROJEKTPRO-BACKUP`
Diese Backups werden taeglich abends zwischen 22:00 und 00:00 Uhr durchgefuerht.

26
projects/ssr-kwa/projekt-datenschutz/projekt-datenschutzkonzept.md Normal file
View File

@@ -0,0 +1,26 @@
## Intro
- Projekt in Frankfurt
- Datenerhebung bei Interviews
- projekt startet am 16.09 mit einer kampange, werbung, etc....
- kein(e) bestimmte(r) datenschutzbeauftragte(r) notwendig
## Problemstellung
- korrekte Aufnahme und Verarbeitung der personennenbezogenen Daten
- protokollierung des gesammelten daten und aufzeichnungen der gesammelten daten, aenderungen an den daten durchfuehrt
## Gespraech Meeting
- Umgang mit Daten haengt davon ab _welche personenbezogenen daten_ haben
- Welche Daten werden benoetigt?
- Werden die Daten anonymisiert bevor ssr sie erhaelt?
- Anbieter(in) fuer Newsletter finden, welches automatisiert die Daten verarbeitet und am besten auf keinem firmeneigenen firmenrechner speichert (kann ein kommerzieller genutzt werden)
- Wichitg ist herrauszufinden, welche Daten exakt ssr bekommt... Welche Anforderung hat die Stadt (nimmt die daten auf) an ssr?
-
## Ressources

31
projects/ssr-kwa/todo-20240725.md Normal file
View File

@@ -0,0 +1,31 @@
## List for ssr/kwa
### Large
- [ ] Kerio Lizenzen liegen noch bei griD (WIR WECHSELN ZU SOPHOS)
- [ ] Apple Business Manager (Michael ist dran)
- [ ] Handy VPN erkennt AD nicht fuer Authentizierung (erstelle lokale Nutzer fuer jeden)
- [ ] Mail client abonniert alle Projekte. Vor letztem Update war Auswahl moeglich spezifischer Postfaecher (Mail client synced alle postfaecher)
- [ ] Alle Lizenzen von griD zu uns holen
### Small
- [ ] Nina 2. MacBook
- [ ] Dominik Langsames MacBook
- [ ] Archivserver muss weg
- [ ] USV Warnmeldung verstehen und beheben
### Administrative
- [ ] Univention (AD) / Kerio Firewall needs Update
## done
- [x] Herr Wassmer Loschberechtigung bei Synology -> es gab dateien im ordner mit anderen berechtigungen
- [x] machraum email

22
projects/ssr/20241104-ServerUmzug/Initial_Notes_20241104.md Normal file
View File

@@ -0,0 +1,22 @@
## Initial steps
- Ab dem 11.10 Serverumzug. Woche vorher planen
- Montag - Mittwoch nicht da (KW44)
- Vorher mit Elektriker absprechen
- Verkabelung
- Lage AP
- Bei Uebergehung und Abgabe dabei sein
## Preparation
### space and time
- friday November the 15th
- don-pedro strasse 7
### Equipment
- Viele Kable mitnehmen. Farbstandard umsetzen soweit moeglich.
- Werkzeug - Elektro und Standard
- Ettiketiergeraet - Papier und Batterie pruefen

29
projects/ssr/20241104-ServerUmzug/Umzug-preparation.md Normal file
View File

@@ -0,0 +1,29 @@
## Andere Aufgaben
- [ ] Cal und Teams am iPhone - Pauline
- [x] Telefon Problem - Allgemein
- [x] Vectorworks und Affinity - Annika
- [x] Mail - Ann-Christin
- [ ] Mac Kaputt - Alina
## Equipment
- [x] Viele Kabel mitnehmen.
- [x] Farbstandard raussuchen (https://softbox.eu.itglue.com/1959798/docs/1661909#version=published&documentMode=view)
- [ ] Werkzeug - Elektro und Standard
- [x] Ettiketiergeraet - Papier und Batterie pruefen
## Patch cables in Serverroom
| Servicetype | Color |
| --------------------------------------- | ------ |
| Network CLients (DHCP) | white |
| Server and Network components | black |
| Uplinks or Trunks (Internet entry also) | red |
| Phones | yellow |
| MGMT (ilo,usv,nas) | green |
| AP | blue |
| Special (Guest Net, DMZ, etc.) | orange |

8
projects/ssr/20241121-VorOrt.md Normal file
View File

@@ -0,0 +1,8 @@
## Tasks
- [x] Handyeinrichtung
- [=] Foerster Mail und Cal
- [x] Pauline Handy
- [x] Switchtausch
- [=] SSL cert/Projekt Pro nachfragen ==> Safari DNS-AufloesungsProblem

18
projects/veeam-hardened-repo/Veeam-Hardened-Repo-Notizen.md Normal file
View File

@@ -0,0 +1,18 @@
Date: 25.03.204
Important step after installation succeeded. [source](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_ubuntu_install.html?ver=120)
> By default, the user account you created during the installation is the member of the sudo group and has enough privileges to deploy and install required Veeam Backup & Replication components. In that case, when you add a Linux server as a hardened repository to the backup infrastructure and specify single-use credentials, you do not need to enter the password for the root account. After the repository is added, you must remove the user account from the sudo group to make it a non-root account. To do this, perform the following steps:
>
> a. Allow the user account to reboot and shutdown the operating system:
>
> `sudo bash -c "echo 'user1 ALL = (root) NOEXEC: /usr/sbin/reboot' >> /etc/sudoers"`
>
> `sudo bash -c "echo 'user1 ALL = (root) NOEXEC: /usr/sbin/shutdown' >> /etc/sudoers"`
>
> b. Remove the user account from the sudo group:
>
> `sudo deluser user1 sudo`
>
> Note that the next time you log in with this user account, it will lose sudo permissions. if you need to execute commands as a privileged user, you must boot the operating system into the single user mode.
>

62
projects/veeam-hardened-repo/Veeam-Hardened-Repository-via-Linux-GUIDE.md Normal file
View File

@@ -0,0 +1,62 @@
## Source
[Source](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=120)
## Intro - Hardened Repository
Backup files can be further protected by adding a hardened repository based on a Linux server to the backup infrastructure. It supports the following features:
- **Immutability:** when adding a hardened repo, specification of the time period while backup files bust be immutable is done. During this period, files stored in this repo cannot be modified or deleted.
- **Single-use credentials:** credentials that are used only once to deploy Veeam Data Mover, or transport service, while adding the Linux server to the backup infrastructure. These credentials are not stored in the backup infrastructure.
## About Hardened Repositories
<https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_about.html>
## Requirements and Limitations
### Linux Server
- The role of the hardened repository can be assigned to a Linux machine with local or remotely attached block storage. The machine must meet [system requirements for backup repos](https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html#repo).
> **Note**
>
> To reduce the attack surface, use a physical machine with local storage. For RAID configuration, recommendations are the following:
> - \[For the OS\] RAID 1 on SSDs with at least 100 GB disk space should be used.
> - \[For backup data\] RAID 6/60 with write-back cache should be used. At least one disk must be configured for the drive roaming.
> - Internal disk cache must be disabled.
> - RAID stripe size should be 128 or 156 KB.
- The Linux machine file system must support immutable files and extended attributes modified by the `chattr` and `setxattr` commands. We recommend using XFS for performance and space efficiency reasons (block cloning support).
- As the hardened repository requires the block storage, you cannot use the following storage types:
- NFS share or a Linux machine with the mounted NFS volume.
- A Linux machine with the mounted SMB (CIFS) volume.
- Depending on the Linux distribution, Veeam services use one of the following Linux firewall managers to operate correctly:
- `firewalld`
- `ufw`
- `iptables`
- `ip6tables`
If none of the firewall managers are installed, make sure that you open all required ports manually.
- You must add the Linux machine to the Veeam Backup & Replication console as a managed server. The hardened repository cannot be shared between different Veeam Backup & Replication servers.
- The Linux machine should have redundant network connection.
### Repository
- To store backup files in a repository, use only a forward incremental backup method with enabled active full backup or synthetic full backup. Once a backup file becomes immutable, it can be merged or deleted only when the immutability time period expires. For this reason, you cannot select a reverse or a forward incremental backup method.
- For importing a backup, use VBK backup files. Metadata files of a backup chain (.VBM) cannot be immutable because they are updated on every job pass.
- For security reasons, you cannot assign the role of the gateway server to the hardened repository. If you use backup copy and file copy jobs, the role of the gateway server must be assigned to the mount server associated with the hardened repository.
- Starting from version 12.1, Veeam Backup & Replication does not support symlinks in the path to the hardened repository.
### Immutability Feature
- To use immutability feature for backup copy jobs, enable the GFS retention policy.
- Do not use the immutability feature for a Nutanix Mine infrastructure. As Mine repositories contain thin-provisioned disks, there may be the case when Veeam Backup & Replication uses full storage capacity of a repository and cannot delete backup from the file system.
## Prepare a Linux Server
### Installing Ubuntu Linux Server
<https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_ubuntu_install.html?ver=120>
## Adding Hardened Repositories
1. [Launch the New Backup Repository wizard.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_launch_wizard.html)
2. [Specify the hardened repository name and description.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_specify_name.html)
3. [Specify a Linux server.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_specify_server.html)
4. [Configure hardened repository settings.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_configure_settings.html)
5. [Specify mount server settings.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_specify_mount_server.html)
6. [Review and apply settings.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_apply_settings.html)

40
projects/veeam-hardened-repo/Veeam-Immutable-Backups-Linux-VM.md Normal file
View File

@@ -0,0 +1,40 @@
## Introduction
[[veeam|Veeam]] is a backup and replication software.
## Requirements
- physical host with enough resources (especially storage) with ideally a 10 Gbit link
- **XFS** is the required filesystem
- compatible Linux **distribution** (Ubuntu 22.04 LTS should work)
## Storage
- RAID 10. Needs 4 drives (hardware raid controller)
- RAID 5. Optimally with 4 drives (hardware raid controller)
## Test in Lab
### Instructions (12.04.24)
1. [x] Build own network with OPNsense box
1. [x] Use PiKVM for display and keyboard output. In addition, use it as mass storage device
1. [x] set hardware raid
1. [x] Install Proxmox OS (which OS exactly)
1. [x] install ubuntu 22.04 as guest OS
1. [ ] set up ubuntu VM as required
1. [ ] research further requirements for immutable repo (XFS, enough storage, ideally 10Gbit link)
1. [ ] jan's oses: OPNsense (as Cluster), Web Server, E-Mail Server
### Instructions (16.04.24)
1. [ ] Install Proxmox on SSD (can be done at home)
1. [ ] Install Ubuntu VM following the Veeam install [guide](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_ubuntu_install.html?ver=120)
1. [ ] in Veeam setup hardened repo via the Linux Server
#### Questions
- How to couple the Linux server with the backup server?