Kieran Jacobsen Kieran Jacobsen

Ubiquiti UniFi - This Fallback IP Cannot Be Assigned Since It's Reserved for Resolving Connectivity Issues

I have used Ubiquiti UniFi equipment for quite a few years both at work and at home. I have used DHCP reservations (Ubiquiti calls this "Fixed IP Address") within my configuration to ensure that some client devices are assigned the same IP address by my Ubiquiti Dream Machine.

Several weeks ago, I wanted to access the web management portal for one of my IoT devices. Normally, this would be just https://ipofdevice:port, in this case, https://192.168.1.20:8080, however my browser told me that it couldn’t connect as the server didn’t respond. I knew the device was online, I could see it was, not only that, but it had also sent me several email alert messages.

After some brief troubleshooting, I quickly realised the device wasn’t using 192.168.1.20, it had been assigned a different address via DHCP. I was able to confirm this in the UniFi Network Application as well, more importantly, the reservation was gone.

Perplexed, but happy to find the issue, I tried to set the reservation back to 192.168.1.20, only to be told: "This fallback IP cannot be assigned since it's reserved for resolving connectivity issues". This caught me by surprise, this device has long since used 192.168.1.20, why had things suddenly changed?

Ubiquiti (and others) have long used 192.168.1.20 as a fallback address, but they previously didn’t prevent you from assigning it to a client. This all changed with the release of Unifi Network Application 7.4. With this new release, they reserved 192.168.1.20 and prevented its reservation for client devices.

Unfortunately, there isn’t a possibility to disable this application-level reservation of 192.168.1.20. This leaves us to:

  1. Use a different IP address for the clients DHCP reservation, or,
  2. Change the DHCP start range to be at least 192.168.1.21 and then assign a static IP address within your client (assuming you can do this).

Sorry I couldn’t provide any better alternatives, however I wanted to ensure that there were more details for the next person who runs into this issue.

Read More
PowerShell Kieran Jacobsen PowerShell Kieran Jacobsen

Installing PowerShell on Orange PI One

Hi Everyone,

I was a long-term user of Monitor-io, and I was saddened to hear that had planned to shutdown their services on April 15, 2023. I was excited to hear that unlike many IoT vendors, Monitor-io had made the decision to provide an option for their customers to continue to use their devices in a standalone manner.

A Monitor-io showing its local IP address

The Monitor-io unit consists of an Orange PI One and an LCD screen. The Orange Pi One is features an ARM processor – H3 Quad-core Cortex-A7, 512mb of DDR, 10/100mpbs Ethernet, and supports up to 32Gb of storage via micro-SD card. The Cortex-A7 is based off the 32bit ARMv7 instruction set, for those familiar with the Raspberry Pi, this is the same instruction set as the Pi 2 Model B.

Monitor-io provided an image based upon Armbian, and a shell script (netmonitor.sh) that provides basic ping checks to a list of targets listed in the targets.conf file using fping. The script updates the LCD display based upon the results from fping.

Before I started, I wanted to get PowerShell running. PowerShell doesn’t officially support the Orange Pi One, but there is a shared architecture, so I hopped for the best managed to get PowerShell 7.3.4 up and running.

The process was very similar to Installing on Raspberry Pi OS, use the following shell commands to download, and install the package. You will need to change the URL to match the right PowerShell version that you want to install.

###################################
# Prerequisites

# Update package lists
sudo apt-get update

###################################
# Download and extract PowerShell

# Grab the latest tar.gz
wget https://github.com/PowerShell/PowerShell/releases/download/v7.3.4/powershell-7.3.4-linux-arm32.tar.gz

# Make folder to put powershell
mkdir ~/powershell

# Unpack the tar.gz file
tar -xvf ./powershell-7.3.4-linux-arm32.tar.gz -C ~/powershell

###################################
# Optional - Create a symbolic link to start PowerShell without specifing path to pwsh bindar
sudo ln -s ~/powershell/pwsh /usr/bin/pwsh

I haven't fully tested and validated that everything is working, however items like Invoke-WebRequest, and Invoke-RestMethod both appear to function correctly. Most other basic commands also seem to be running without any issues.

Read More
PowerShell, Communities Kieran Jacobsen PowerShell, Communities Kieran Jacobsen

Planet PowerShell Update: Mastodon, Twitter, and Pronoun Support

Over the last few weeks, I have been working on some new features in Planet PowerShell.

Mastodon Support

As more users make the move to Mastodon, I wanted to ensure that Planet PowerShell could continue to support the community.

You can now follow Planet PowerShell on Mastodon, @[email protected]. New posts are automatically tooted using the #PowerShell and #pwsh hashtags.

There is now support for authors to share their Mastodon handles. Authors will need to specify a value for the MastodonHandle property. I have already included some authors’ handles where I was following them. If you are a Planet PowerShell author and have made the transition to Mastodon, please ensure you update your author .cs file.

Including Mastodon support was a simple decision for me, and I am extremely thankful that I have made the decision considering recent announcements (see Twitter Support). As part of the change, I needed to update from Font Awesome v4 to v6, you may notice some icons have slightly changed on the website.

Twitter Support

With the extremely unfortunate decision by Twitter to no longer provide free access to their API, Zapier have notified their users that they anticipate their integration to stop working. Planet PowerShell uses Zapier to post to Twitter, Facebook, and Mastodon.

At this stage, it appears that when Twitter’s API change occurs, the @Planetpshell Twitter will also go silent. This is incredibly disappointing. Over the years, Planet PowerShell has gained 3,358 followers, posted hundreds or blog posts and had tens of thousands of impressions each month.

If an alternative solution for posting becomes available, then we may see Planet PowerShell return to Twitter, until then, I recommend everyone follows the RSS, Mastodon, or Facebook page.

Pronoun Support

It is extremely important to me that Planet PowerShell is an inclusive community. Authors now have the option to specify their pronouns. Simply update the Pronouns property in your author .cs file, and the pronouns will be displayed on the Authors page. This is optional, but I highly encourage all authors to include their pronouns.

Analytics & Cookies

Analytics has been a big challenge with Planet PowerShell. I rely on analytics and usage information as part of my Microsoft MVP reporting; making use of a mix of values provided by Google Analytics and Cloudflare’s built in analytics. This isn’t a perfect solution, particular as there isn’t an effective measure for the RSS feed.

In the past, my side projects like Planet PowerShell have often influenced my work projects. Recently, the flow has reversed. After some discussions around GDPR and Analytics, I decided to make some changes to Planet PowerShell.

Planet PowerShell didn’t have a cookie consent mechanism, something that was a potential issue. CookieBot has a free tier for smaller websites, it works by scanning the website and collecting information on all the cookies in use; you just include a small snippet of code from CookieBot, and it will take care of prompting users to accept or reject various cookies. Due to the small number of pages, Planet PowerShell fits perfect in the free tier, with setup and testing being very quick and easy.

As I was implementing CookieBot, I discovered an issue with Planet PowerShell that goes back to the original fork from Planet Xamarin. When I made the fork, I made sure to update Google Analytics and Google Maps codes and keys, but I missed something. Planet Xamarin also made use of Clicky, a more privacy-friendly website analytics provider. I have update Planet PowerShell to use its own Clicky ID.

Lastly, I have also implemented Heap analytics. Heap analytics platform is one of the easiest to understand, and provides information in a concise manner. It still doesn’t help with the RSS feed, I hope will give me a better understanding of the interactions on the Planet PowerShell website.

My aim is to review the usefulness of the information provided by Google Analytics, Clicky, Heap and Cloudflare, and remove those who aren’t useful long term.

Looking for more authors!

I want to grow the number of authors whose content is aggregated as part of the Planet PowerShell feed. If you are an author, please take the time to add your blog. If you need help, feel free to message me and I will be able to assist.

Finally, I want to thank everyone of the support over the years with Planet PowerShell. Things have come a long way over the last 7 years. I can’t wait to see how things change in the next 7 years!

Read More
PowerShell Kieran Jacobsen PowerShell Kieran Jacobsen

PowerShell CSV Quick Hack – Redistributing Columns in CSV Files

These days, I spend much of my time working with spreadsheets or manipulating data that has come from systems in the form of CSV files.

This week I ran into an interesting issue where I ended up using some PowerShell tricks to change the structure of the data into a more useful format.

I found myself with a CSV file with the columns: Sender, Recipient, Recipient2, Recipient3… all the way to Recipient24. The file looked like this:

The original CSV file I was working with

Every row had a value for Sender and Recipient, however only some rows had values for Recipient2 and onwards.

What I needed was a list of Sender and Recipient, removing the other Recipient* columns and making them new entries. What I needed was a list that looked like this one:

The CSV layout I wanted

I am not an Excel guru, but I am handy with PowerShell, so I decided that I would clean this up with PowerShell.

My original thought was this process:

  1. Import the CSV file using import-csv
  2. Have a foreach loop that looked at each entry in the CSV file, and created new entries as follows.

My code looked like this:

$OriginalCSV = import-csv 'original.csv'
$NewCSV = @()
Foreach ($item in $OriginalCSV) {
    $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item.Recipient}
    $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item.Recipient2}
    $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item.Recipient3}
    $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item.Recipient4}
    $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item.Recipient5}
    # ...
    $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item.Recipient23}
    $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item.Recipient24}
}
$NewCSV | Export-Csv -Path 'new.csv'

This code does what I needed, but it is far from perfect. I have copy-pasted the same code; it does not look very re-usable.

How could I make this code more reusable?

With PowerShell, I can dynamically build a reference to an object’s methods and members as so:

$Value=2
$item."Recipient$Value"

By adding a for loop, I can now pass throw each of the Recipient* columns without resorting to copy-pasting code. This allowed me to simplify my code down to:

$OriginalCSV = import-csv 'original.csv'
$NewCSV = @()

Foreach ($item in $OriginalCSV) {
    $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item.Recipient}

    for ($ii = 2; $ii -le 24; $ii++) {
        if ($item."Recipient$ii" -ne '') {
            $NewCSV = $NewCSV + [PSCustomObject]@{Sender = $item.Sender; Recipient=$item."Recipient$ii"}
        }
    }
}
$NewCSV | Export-Csv -Path 'new.csv'

Till next time,

Kieran

Read More
Presentations Kieran Jacobsen Presentations Kieran Jacobsen

Linux.conf.au 2022 – Avoiding DNS Pain

Once again, I was extremely fortunate to be speaking at Linux.conf.au. This year, I spoke on avoiding common DNS pain points by following a “DNS as code approach” with DNSControl.

This is a topic that I really enjoy speaking on, DNS is often overlooked when we move to a DevOps/DevSecOps operating model, but I am glad to say that we can make things better. I appreciated all the wonderful questions during the session. The Linux.conf.au crowd are always a great community to be part of.

You can check out the video here:

Read More
Security Kieran Jacobsen Security Kieran Jacobsen

Affordable Office 365 Backups with Synology Active Backup

When it comes to backups and Office 365, there are plenty of misconceptions in the industry. Yes, you do need to backup Office 365 data; No, it doesn’t have to cost you an arm and a leg. Synology’s Active Backup for Office 365 gives you backups without breaking your budget.

Synology reached to me and asked if I would be interested in reviewing their Active Backup suite. To help, they have supplied me with one of their latest generation devices a DiskStation DS920+. This is not a sponsored post and the thoughts within are my own.

Why Backup Your Office 365

Too many organisations and IT professionals believe that you do not need to perform backups of Office 365 data. The truth is, just like any other production system, you need to have a backup plan for this data.

Typically, backups are described as a copy of data that is taken and stored away from the original. A backup can be used to restore the original after a data-loss event. To be clear, backups are independent copies; they should be stored separately of the original data.

Microsoft doesn’t provide any services as part of Office 365 that fit this description. If you don’t believe me, just checkout their Office 365 compliance documentation (Microsoft O365 Mapping of CSA CMM v3.0.1):

Microsoft O365 Mapping of CSA CMM v3.0.1

Microsoft O365 Mapping of CSA CMM v3.0.1

People confuse backups for redundancy, particularly geo-redundancy that Microsoft provides with Office 365. Geo-redundancy involves replicating data between multiple sites, with the aim of ensuring that access to data is always available, even in the event of hardware or site failures. With replication, data deletion requests or data corruption will be replicated to each site. Replication doesn’t stop deletion or corruption; it doesn’t let you go back in time as there are no separate copies of the data.

People also confuse litigation holds and retention policies with backups. These controls allow you to specify how long data is held or retained by Office 365 even after a user deletes it. There are no separately stored copies of the data, for later restoration. If a file or message is corrupted, retention policies will simply define how long Office 365 keeps a copy of that corrupted piece of data.

Another consideration is compliance – everyone’s favourite topic. Most level and regulatory frameworks define a backup requirement or the ability to retrieve past data. Retention policies can help here, but backups are the only tool to ensure you truly meet your compliance requirements.

Synology Active Backup for Office 365

When you talk about backup products, Synology might not be the first vendor you think about. I am here to tell you needs to change. Synology’s Active Backup Suite is here to challenge the status-quo.

The Active Backup Suite comes as free packages that can be installed on any compatible Synology hardware. It offers a wide range of protection, including:

The focus of this review is Active Backup for Office 365, but I encourage you to check out the rest of the Active Backup Suite.

Cost Effective Backups

I am impressed with how Synology has positioned itself in what could be considered a crowded solution space. They have positioned themselves as being cost-effective, by ditching the per-user licensing model of their competitors. All you need is a compatible Synology NAS and enough storage, and you are good to go.

I will admit, the licensing model grabbed my attention when Synology first contacted me. No per-user licensing, they must be crazy. As the Head of Information Technology at Telstra Purple, I spend a significant portion of my time navigating vendor licensing models. Most products in the Office 365 backup space make use of a per-user monthly or yearly subscription model, something that looks low cost for small user counts, but as you scale out, the cost can get out of hand.

I wanted to get a rough idea of the cost difference between Synology and one of its competitors. As I said, this is a rough estimate, but helps to show how Synology are positioning Active Backup for Office 365. In this example, I will be working with an Office 365 tenant that has 500 users, and I want to retain the backups for 7 years. Below are my estimates (in AUD).

Active Backup for Office 365 Competitor's Product
User licensing $0 $10,000/year
Server Synology DiskStation DS3617xs @ $3900 Azure D4v3 @ $500/month
Storage 12 NAS rated 10TB Disks @ $550/each Azure Storage @ $2000/month
Total Costs
Yearly cost $10,500 $40,000
Total cost over 7 years $10,500 $280,000

I realise this this isn’t the fairest of comparisons, with power, cooling and replacement hard disks have not factored into the Synology estimate. I have also assumed a fixed amount of Azure Storage consumption for the competitor. What should be clear is that the biggest factor on overall cost is the yearly per user licensing.

As someone who is responsible for maintaining an IT budget, I must admit, it would be hard to choose the more expensive option.

Easy to Configure Backups

From personal experience, enterprise backup solutions were always complicated to configure and maintain. I still have nightmares about troubleshooting backups on Exchange 2010! Due to this experience, I allocated plenty of time to setup Active Backup for Office 365, only to be surprised when it took all of 10 to 15 minutes. I was also impressed to see support for multiple Office 365 tenants.

Currently, Active Backup offers protection for OneDrive, Exchange Online (mail, contacts, calendar and online archive) and SharePoint sites. In the beta release, there is addition support for Office 365 groups. The only thing I really would like to see is support for Microsoft Teams chat and conversation history.

I really liked how you can specify if newly created Office 365 user accounts are automatically included in each backup tasks. This is a great touch as it reduces the amount of work required when onboarding new users, awesome for those forgetful system administrators.

My only disappointment when configuring backup tasks was how you specify data retention. Active Backup for Office 365 provides two options: keep all versions or specify how many days a copy should be kept. Every vendor has their own approach for specifying retention policies, and Synology isn’t alone with the all or number of days approach. I personally prefer how retention policies are specified in Azure Recovery Vaults. This issue isn’t a showstopper, but more fine-grained policies might allow for better storage efficiency.

Easy to Restore Content

Synology haven’t just made running backups easy, they also made it easy to restore content with an end-user accessible self-service portal. From the Active Backup for Office 365 Portal, users can choose to restore data that may have been deleted or corrupted, without the need for administrator involvement.

Providing self-service options to your users is a critical aspect to the success of any IT team. The simple option of allowing users to perform tasks, like restoring Office 365 files and content makes them feel empowered and most importantly, frees up your IT team to work on more important tasks. Self-service will make you and your users happy.

Unfortunately, I found the portal a little bit difficult to navigate. I wish the interface more closely resembled the Office 365 user interface, as that would have felt more intuitive. I felt the mechanism to switch between viewing mail, OneDrive, contacts and calendar items wasn’t obvious at first.

Synology recommends enabling single sign-on (SSO) with Azure Active Directory. This will allow users to connect to the portal using their Office 365 credentials, no need for separate accounts. This isn’t required, but I would expect this to be setup for production environments. If you wish to use accounts created on the Synology, just ensure that the email address matches between the Synology account and the Office 365 account.

Synology currently only supports one SSO provider, so if you are performing multi-tenant backups, you will need to consider which Azure AD you federate with. SSO is configured via Azure AD application registration, so you will not need Azure AD Premium licenses.

Overall Thoughts

Setup is simple.
Support for user self-service data restoration.
Support for multiple Office 365 tenancies.
No per user licensing, subscriptions or renewals.
No support for Teams conversation history. Currently supports OneDrive, Exchange (mail, contacts, calendar and online archives) and SharePoint sites.
Retention policies are someone limited.
Requires the purchase of hardware.

I am really impressed by Active Backup for Office 365. Setting up Synology appliances and applications has always been very user friendly. The setup and restore experience are well designed and when integrated with Azure AD sign-on, provide end-users with self-service content restoration.

I believe the licensing model will be highly attractive to many organisations, even large enterprises; however the misconception that Synology’s market is home users, hobbyists and small businesses may result in many IT professionals to not thoroughly consider Active Backup for Office 365. Don’t fall for this misconception.

As someone who leads the internal IT team for a cloud first organisation, I can see the requirement to purchase Synology hardware a drawback. This could be a real blocker. Synology have some cloud offerings, perhaps their next step would be to offer Active Backup as a SaaS product.

I recommend that anyone supporting Office 365 environments to look at Active Backup for Office 365. It allows you to meet your organisations backup and data protection requirements as a cost-effective price point. I am and will recommend Active Backup for Office 365 to customers, clients, friends.

Active Backup for Office 365 is under active development, there are additional features and fixes already available in the public beta release.

I want to thank Synology for giving me the opportunity to work with DiskStation DS920+, it is a remarkable device that is very suited for IT professional and hobbyist use.

Read More
Security Kieran Jacobsen Security Kieran Jacobsen

Protecting yourself against the BlueGate RDP Gateway vulnerability

Schadenfreude is a wonderful feeling, but when it comes to information security, we must always remember that we live in glass houses. Over the past few months, as vulnerabilities have been rampantly exploited in SSL VPN products like those from Pulse, Fortinet and Citrix; I found myself deriving some enjoyment. Karma of course, was on its way.

Microsoft patched two vulnerabilities, dubbed BlueGate, as part of the January Patch cycle. These vulnerabilities are pre-authentication Remote Code Execution (RCE) rated. The vulnerabilities could allow remote code execution when an unauthenticated attacker connects to a target system using RDP and sends specially crafted requests. MFA will not protect you from this vulnerability. These vulnerabilities can be found in Windows Server 2012, 2012R2, 2016 and 2019.

Considering that RDP Gateway servers typically exist to provide a mechanism for users outside of to access trusted internal systems, exploiting this vulnerability could potentially provide network wide access to an attacker.

Security researcher Ollypwn has released proof-of-concept (PoC) that results in a denial of service (DoS). Luca Marcelli has also released a video showing a working RCE exploit.

Thankfully there is a small glimpse of hope. The vulnerability only affects the UDP transport (port 3391) option of the RDP Gateway components. Depending upon the configuration, administrators may have only exposed the HTTPS transport to the Internet. One potential mitigation, if patching is not an option, is to disable or block the UDP transport.

If you run RDP Gateways, please work to ensure that you patch or disable the UDP transport as quickly as possible. As with the Shitrix or SSL VPN vulnerabilities, once RCE exploit code is released, I expect attackers to include this in their ransomware toolkit much as they have.

Read More
PowerShell, Security Kieran Jacobsen PowerShell, Security Kieran Jacobsen

Mitigating IE Zero-Day (CVE-2020-0674/ADV200001) with PowerShell and Intune

Microsoft published a security advisory (ADV200001) containing mitigations against an actively exploited zero-day remote code execution (RCE) vulnerability in Internet Explorer. At time of writing, there is no patch for the vulnerability. Microsoft is expecting to release a patch as part of the usual Patch Tuesday (Wednesday for some of us) cycle.

Microsoft has provided some mitigation steps that can be applied; however, they only recommend taking these steps if there is an indication you are under elevated risk. One of the problems with the mitigation steps is that you MUST revert the changes before you can install any future updated.

The mitigations also come with some side-effects; their impact might be too much for some organisations. Side-effects include:

  • Printing to HP printers and other USB printers mail fail.
  • Windows Media Player is reported to break on playing MP4 files.
  • Sfc.exe will break.
  • Printing to "Microsoft Print to PDF" is reported to break.
  • Proxy automatic configuration scripts (PAC scripts) may not work. For me, I couldn’t imagine managing some enterprise environments without PAC scripts. That alone would be a good reason to not deploy these fixes.

If after all of this, you want to still apply these mitigations. I put together some quick guidance for their implementation with Intune.

Enabling the mitigations

  1. Get a copy of the Enable-ADV200001.ps1 script from my GitHub repository.
  2. Sign-in to the Microsoft Endpoint Manager Admin Center.
  3. Select Devices > PowerShell scripts > Add.
  4. In Basics, enter the Name: Enable IE Mitigations for ADV200001, and select Next:
  5. In Script settings, browse to where you downloaded the Enable-ADV200001.ps1 script, leave everything else at their default settings, and select Next:
  6. Select Scope tags. Scope tags are optional, if you don’t use this feature, select Next.
  7. Select Assignments > Select groups to include. Select with groups this script should be applied to, select Next.
  8. In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the policy is deployed to the groups you chose.

Disabling the mitigations

  1. Get a copy of the Disable-ADV200001.ps1 script from my GitHub repository.
  2. Sign-in to the Microsoft Endpoint Manager Admin Center.
  3. Select Devices > PowerShell scripts > Add.
  4. In Basics, enter the Name: Disable IE Mitigations for ADV200001, and select Next:
  5. In Script settings, browse to where you downloaded the Disable-ADV200001.ps1 script, leave everything else at their default settings, and select Next:
  6. Select Scope tags. Scope tags are optional, if you don’t use this feature, select Next.
  7. Select Assignments > Select groups to include. Select with groups this script should be applied to, select Next.
  8. In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the policy is deployed to the groups you chose.

More guidance can be found here Use PowerShell scripts on Windows 10 devices in Intune

Just remember that before your next patch cycle, you need to disable the mitigations, otherwise the updates will fail.

Read More