Category Archives: Uncategorized

Chris 6:16 pm on May 25, 2023
Tags: 80F, fortigate, ipsec, networking, Security Gateway, tunnel, unifi, USG-PRO-4   

FortiGate 80F to Unifi Security Gateway Pro 4 IPSec Tunnel Issues

I have recently replaced an older Cisco ASA 5550 with a FortiGate 80F. Firewalls are not exactly in my guru status, so I do bring in a networking consultant company to help with these types of things. They are actually the ones the recommended the FortiGate 80F. However, they are quite busy, so it’s up to me to learn the systems and troubleshoot much of it, especially when it falls out of the FortiGate brand.

For years, the Cisco ASA 5550 had an IPSec Tunnel that worked flawlessly with the Unifi Security Gateway Pro 4 (USG-PRO-4). But the Cisco did not work well for more modern firewalls with other companies and AWS, which is one of the primary reasons I changed it out.

Things seemed to go well at first after a weekend install, though we didn’t do much monitoring of the specific tunnel as we didn’t get any complaints, and it’s not used that often under sustained traffic. However, the next weekend I received a complaint that RDP from the FortiGate SSL-VPN tunnel, through the USG tunnel, was failing about every 1.5 minutes.

Being new to the FortiGate, and not having touch the Unifi interface in years, it was cold turkey learning for me.

The network consultants and I went through a great deal of troubleshooting, including turning off DTLS on SSL-VPN. They saw packet errors, via the counters, on the tunnel using the following command on the FortiGate:

get vpn ipsec tunnel summary

which returned

tx packets: 1992 bytes: 1092273 errors: 134

The USG side is connected to the Internet via a cable modem from Cox on a business plan. It isn’t exactly fiber and can be prone to oversubscription (as we saw during the pandemic), however, the Internet connection wasn’t showing any symptoms there, and we didn’t show much if any, packet loss or errors via some long ping cycles to services such as Google DNS (8.8.8.8) and the public side of the FortiGate. They saw about 300ms ping times with some Jitter coming from their network, but we didn’t feel that this really was unordinary for a cable modem. We even opened a Tier 3 ticket with Cox and they monitored the traffic for 24 hours, seeing no issues.

We did try some diagnostic tools such as iperf3 and WinMTR, but those didn’t really give us anything useful.

Dead Peer Detection (DPD) was disabled on the IPsec tunnel. DTLS was disabled on the SSL-VPN. And Perfect Forward Secrecy (PFS) was disabled.

On the FortiGate, I saw a lot of “phase 1 negotiate error w/ PAYLOAD-MALFORMED” and “phase 2 negotiate error w/ progress IPsec phase 2” errors in the VPN events section of the FortiNet UI.

After off DPD and PFS, I realized that had a big impact on the frequency of tunnel reconnections, so I did some more digging.

After disabling PFS, the “PAYLOAD-MALFORMED” errors went away and I started seeing “INVALID-ID-INFORMATION”.

I did some playing around with using IKEv2 on Phase 1. But that did not work and reverted back to IKEv1. I also messed with the AES and SH1 encryption and hashing along with the DH groups. When I change these, the tunnel starts to work in many cases. But then the issues just come back after awhile. For now I settled on AES128-SHA1 with DH 5.

I disabled allowing the USG VPN to access the site-to-site tunnel. This was causing error noise as the USG VPN IP Pool was not setup to be received on the FortiGate. I also corrected/narrowed the Phase 1 and Phase 2 selector encryption and hashing options on the FortiGate. The FortiGate had copied over settings from the Cisco 5550, which was fairly broad on allowing many options, But here, those were just causing error noise and negotiation issues. These are common across the USG for phase 1 and phase 2, but separate, hidden away under advanced, in the FortiGate. After doing this the packet errors went away!

At this time I learned how to output IPSec logs on the FortiGate via SSH:

diagnose debug duration 480
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 1.2.3.4
dia debug application ike -1
dia vpn ike gateway flush name %Tunnel-Name%
dia vpn tunnel stat flush %Tunnel-Name%
dia deb en
diagnose debug disable
diagnose debug reset

I started with -255 verbosity, which only gave me this:

ike 0:site1:3903: nat unavailable
ike 0:site1:3903:Site1-sslvpn:578090: quick-mode negotiation failed due to retry timeout
ike 0:site1:3903:Site1-sslvpn:578119: quick-mode negotiation failed due to retry timeout
ike 0:site1:3903:Site1-sslvpn:578154: quick-mode negotiation failed due to retry timeout

But once I started using -1, it gave me a great deal more useful information. This started giving me “phase 2 proposals not being received”, which was a useful clue.

This round it started failing at Phase 2 with this error around 60 hours in.

I then started doing some digging on the USG to see what I can find via SSH. VPN logs are stored on the USG at /var/log/charon.log.

tail -f /var/log/charon.log

However, these did not prove to be much use. I then found a real-time console output of the IPsec connection information using “swanctl”. See https://docs.strongswan.org/docs/5.9/swanctl/swanctl.html.

sudo swanctl --log

at which point I found these, when the cycle of constant tunnel reconnections occurs:

invalid HASH_V1 payload length, decryption failed?

It turns out the USG-PRO-4 runs the StrongSwan server, version 5.2.2, for IPSec, and the Ubuntu version is from 2019. From what I’m reading, this is the same server the Cisco ASA ran. I would assume around the same version. This version is from 2015, and there have been many gripes with issues in this version area.

After some investigation, I found that people were resolving this with a shorter pre-shared key and removing special characters. This was an IPSec connection from a mobile device. Says Android 7 worked fine, but started getting this with Android 9. Though, this seemed to appear in earlier minor versions. So I’m not confident this is related.

I’m also seeing suggestions to dumb down the encryption even further from AES128-SHA1 to 3DES-SHA1.

Now granted, it takes about 4 days for this issue to arise, so it’s possible they didn’t wait long enough and follow up in the forum. But it’s worth a shot to simplify the pre-shared key. Currently, 22 characters consisting of upper/lower and numeric. Going to just 8 upper/lower characters.

Interestingly enough, I found the config files on the USG for Strongswan that contain the IPSec/VPN configs and pre-shared keys.

The pre-shared rekey didn’t work, however, I’m not positive I got it to the state where that mattered. After a number of tries to low-key reset things (config reload, tunnel down/up, etc) it seemed that only ‘sudo ipsec restart’ (restarting the ipsec/strongswan service on the USG took care of it. A provision to the USG didn’t do the trick, not sure why.

sudo ipsec restart

So if this problem crops up again (in 4 days?), I’ll create a cron job to restart ipsec at 3am each day.

In conclusion, it appears the major issues are:

  • Dated version of the USG’s strongSwan server from 2015, even on the current firmware version
    • Potentially reducing the pre-shared key complexity/size (TBD)
  • Removing encryption/hashing options that do not exist specifically on each IPSec’s configuration
  • Removing the auto-generated tunnel selectors on the USG that do not have a policy on the FortiGate

Here is what you want to see in diagnostic console output on the FortiGate for phase 1:

2023-05-25 17:55:47.927110 ike 0:Site1:5673:873531: peer proposal is: peer:0:10.11.12.0-10.11.12.255:0, me:0:10.13.14.0-10.13.14.255:0
2023-05-25 17:55:47.927138 ike 0:Site1:5673:Site1:873531: trying
2023-05-25 17:55:47.927480 ike 0:Site1:5673:Site1:873531: matched phase2
2023-05-25 17:55:47.927509 ike 0:Site1:5673:Site1:873531: autokey
2023-05-25 17:55:47.927551 ike 0:Site1:5673:Site1:873531: my proposal:
2023-05-25 17:55:47.927575 ike 0:Site1:5673:Site1:873531: proposal id = 1:
2023-05-25 17:55:47.927598 ike 0:Site1:5673:Site1:873531:   protocol id = IPSEC_ESP:
2023-05-25 17:55:47.927621 ike 0:Site1:5673:Site1:873531:      trans_id = ESP_AES_CBC (key_len = 128)
2023-05-25 17:55:47.927645 ike 0:Site1:5673:Site1:873531:      encapsulation = ENCAPSULATION_MODE_TUNNEL
2023-05-25 17:55:47.927668 ike 0:Site1:5673:Site1:873531:         type = AUTH_ALG, val=SHA1
2023-05-25 17:55:47.927696 ike 0:Site1:5673:Site1:873531: incoming proposal:
2023-05-25 17:55:47.927718 ike 0:Site1:5673:Site1:873531: proposal id = 0:
2023-05-25 17:55:47.927741 ike 0:Site1:5673:Site1:873531:   protocol id = IPSEC_ESP:
2023-05-25 17:55:47.927763 ike 0:Site1:5673:Site1:873531:      trans_id = ESP_AES_CBC (key_len = 128)
2023-05-25 17:55:47.927786 ike 0:Site1:5673:Site1:873531:      encapsulation = ENCAPSULATION_MODE_TUNNEL
2023-05-25 17:55:47.927813 ike 0:Site1:5673:Site1:873531:         type = AUTH_ALG, val=SHA1
2023-05-25 17:55:47.927844 ike 0:Site1:5673:Site1:873531: negotiation result
2023-05-25 17:55:47.927867 ike 0:Site1:5673:Site1:873531: proposal id = 0:
2023-05-25 17:55:47.927889 ike 0:Site1:5673:Site1:873531:   protocol id = IPSEC_ESP:
2023-05-25 17:55:47.927912 ike 0:Site1:5673:Site1:873531:      trans_id = ESP_AES_CBC (key_len = 128)
2023-05-25 17:55:47.927935 ike 0:Site1:5673:Site1:873531:      encapsulation = ENCAPSULATION_MODE_TUNNEL
2023-05-25 17:55:47.927957 ike 0:Site1:5673:Site1:873531:         type = AUTH_ALG, val=SHA1
2023-05-25 17:55:47.927979 ike 0:Site1:5673:Site1:873531: using tunnel mode.

When phase 2 expires, you want to see this:

2023-05-25 18:03:36.056951 ike 0:Site1: IPsec SA {id}/{id} hard expired 23 1.2.3.4->5.6.7.8:0 SA count 2 of 4
2023-05-25 18:03:36.057106 ike 0:Site1:5673: send IPsec SA delete, spi {id}
2023-05-25 18:03:36.057224 ike 0:Site1:5673: enc {id}
2023-05-25 18:03:36.057273 ike 0:Site1:5673: out {id}
2023-05-25 18:03:36.057361 ike 0:Site1:5673: sent IKE msg (IPsec SA_DELETE-NOTIFY): 1.2.3.4:500->5.6.7.8:500, len=76, vrf=0, id={id}/{id}:{id}

If all goes well, I’ll look into adding back in DPD, PFS, and DTLS as well as increasing the encryption, hashing, and DH levels.

Other UniFi USG Commands for IPSec:

sudo ipsec statusall
sudo ipsec up <connection_name>
sudo ipsec down <connection_name>

Now that I’m aware of the legacy server versions on the USG-PRO-4, the end-game is to replace the device, perhaps with a EdgeRouter X. The current firmware is up-to-date and I’ve seen Ubiquiti’s lack of update and support for this item, even though it’s not marked end-of-life.

#80f, #fortigate, #ipsec, #networking, #security-gateway, #tunnel, #unifi, #usg-pro-4

Chris 11:17 pm on April 10, 2023  

Copying AWS EC2 Tags to EBS Using PowerShell

These days when creating an EC2 instance in the AWS console UI, by default, the tags are duplicated across Elastic Block Service (EBS) and Elastic Network Interface (ENI) attached resources being created. But what happens if you have an older instance that didn’t do that or you add tags to an EC2 instance and need it to reflect across attached resources? It’s easy when you only have a few EC2 instances. Just copy/paste in the console UI. But what if you have them in bulk?

I did my Googling and came across what seemed to be the quickest solution: AWS PowerShell (yes, I’m a Windows user)

I came across “Tag AWS EC2 EBS volumes with the instance name tag” by Alex Neihaus written in 2017 and modified it slightly to fit my needs. But as a new user to AWS PowerShell, it took me a little bit of a learning curve, especially as the method has changed from a legacy Windows-specific, single, large-module version of AWS Tools for PowerShell. Instead, I used a modularized version of AWS Tools for PowerShell where each AWS service is supported by its own individual, small module, with shared support modules AWS.Tools.Common and AWS.Tools.Installer.

Continue reading
Chris 12:44 pm on February 20, 2023
Tags: bloat, Windows 11   

Debloat Windows 11

Perform the following at your own risk. Microsoft does not support this program, which is maintained by an individual I do not know personally nor know their reputation well.
It is recommended to perform this cleanup only after a clean install. Using this after customizing or installing programs may end with undesired consequnces, such as missing required programs. As an example, QuickBooks requires XPS for PDF utilities (which can not be fixed with Intuit's fix tool automatically). It is highly recommended to take a snapshot or backup before proceeding.

My job and home life do not require much desktop workstation maintenance. Most CF Webtools staff are competent with their environment or use a client’s pre-packaged workstation. However, I set up workstations here and there for different reasons, mostly Windows 11.

But as you well know, Windows 11 comes with bloatware. I would manually uninstall as many programs and apps as I could. But some are forced to take residence.

BloatyNosy

Check out “BloatyNosy” (Bloaty ‘n Nosy). Self-described as “streamlines and houses all the essential settings under one app and allows you to disable and remove unnecessary features with just a simple click.”

This app is born as a way to simplify and combine “Privatezilla”, “Bloatbox for Windows 10”, and “ThisIsWin11 for Windows 11”.

After downloading the app from GitHub, you must extract and run the “BloatyNosy.exe” file. Press “Run anyway” if Microsoft Defender SmartScreen prevents you from running an unrecognized app from starting. You may bypass the “Torjan:Script/Wacatac.B!ml” virus warning at your own risk. It appears to be a false positive.

Press the “Analyze Windows x Build x.x” button to scan your computer for recommended actions. You will see results similar to this: (scroll up for more)

If you press the down arrow and press “Fix problems”, it will potentially do some things you do not prefer, such as setting a dark theme and enabling the Linux subsystem.

You may either press this “Fix problems” button and go with their recommendations listed in the list or press the (not so obvious) link below the list to choose what to do and not to do.

After completing your selections, press the “Fix problems” button.

You may have to manually input some confirmations, such as agreeing to source agreement terms when winget runs.

Once the checklist is complete, it will silently sit there without feedback. I recommend opening Task Manager and ensuring the “BlotyNosy” app is at 0% processor, then reboot. Task Manager can be found by right-clicking the Start menu icon and selecting it from the context menu.

Results

You will be left with programs such as “Xbox Game Bar” and “Xbox Live”. You will also notice bloatware apps listed in the start menu you thought would have been removed. However, they appear linked to installers and can be “unpinned “or “uninstalled” individually by right-clicking the icon. These include such programs as WhatsApp, Spotify, Disney+, TikTok, Instagram, and Messenger.

Other Options

You can also use “BloatFinder”, which removes pre-installed apps manually, and “WinModder”, which allows you to apply code snippets based on PowerShell and community scripts, individually. Also, check out “I want to set up Windows 11 for the first time”, where you can call a Windows 11 Setup/Assistant, customize your system step by step, and debloat it. And lastly, InstaPackage is integrated, which allows you to install some of the most important apps with a click and in bulk.

On the WinModder app, you may need to install the mods signature file by pressing the link:

#bloat, #windows-11

Chris 7:20 pm on July 18, 2022
Tags: Active Directory, LDAP, wiki, Wiki.js   

Wiki.js Active Directory Authentication Configuration

I have recently taken the opportunity to explore Wiki.js as a replacement for a MediaWiki system.

Wiki.js Docs Example

You can add authentication strategies from sources such as Auth0, Azure AD, Facebook, GitHub, Google, LDAP / Active Directory, OAuth2, Slack, and a number more. The current network has a Domain Controller with an Active Directory, so I wanted to integrate that.

The first thing that came to light was that Active Directory (AD) will talk in LDAP on port 389 and LDAPS (secure) on port 636 natively. Sounds great! However, not being an LDAP or Active Directory expert and a lack of documentation from Wiki.js, this became a challenge of “try and sees”.

Continue reading

#active-directory, #ldap, #wiki, #wiki-js

Chris 4:39 pm on August 23, 2021  

“i” is for Intel on AWS EC2

Last year, AMD-based instances came into existence on Amazon Web Service’s (AWS) Elastic Compute Cloud (EC2). AMD brought a slight performance decrease and a reasonable price discount. CF Webtools is mostly website focused, and almost all of our servers have no problem going with that decreased performance metric.

Since EC2 was created, they’ve used abbreviations, such as “M1” for general purpose (think Main) and T1 for burstable (think Turbo). The characters are the instance class, and the numbers are the generations.

Then in 2020 came the AMD, such as M5a, which appended the “a”. This year came Graviton, powered by Arm-based processors, such as M6g, which appended the “g”.

From day one, any abbreviation that lacked the last character was an Intel processor. The sixth generation has changed that. Now you will start to see “i” appended, if it runs Intel, to flow with the “a” and “g”.

There are other characters in these abbreviations, but that’s for another day.

On August 15th, 2021, AWS introduced M6i instances.

Chris 5:51 pm on February 11, 2020
Tags: Elon Musk, NASA, Space, SpaceX   

Back to Space

There’s one man’s ventures that I like to follow: Elon Musk

A citzen of South Africa, Canada and the US, he leads up SpaceX, Tesla, The Boring Company, Neuralink, and OpenAI. He worked his way from Zip2, X.com which ended up in the hands of PayPal.

A would love to own the Tesla Model S, Model 3, Model X, and Cybertruck. But I’m going to need a raise first.

But what’s most impressive to me is SpaceX. Their quick-turnaround reusable rocket sections have made space travel so much more affordable.

Since the end of the Space Shuttle era back in 2011, we’ve relied upon the Russians to get U.S. astronauts to space at a hefty price tag.

Now, if everything goes to plan, that will all change around May 7th. The date is not official and is just a target at this point. But April, May or June are likely according to Mark Geyer, director of Johnson Space Center. Whatever the date, it will mark the first human space flight by a private corporation, rather than the government. And of course, that leads to significant reduced costs.

But let’s not forget the government is what got them to their starting block. While these are new engines and, well, everything, they didn’t start from scratch.

After numerous tests from empty flights, to automated cargo deliveries to the Space Station, to testing the in-flight abort system, they are ready for the humans.

Boeing almost made the first human flight, but they’ve got some major software issues they’ve got to work out after their last mission just didn’t cut it.

I’m looking forward to this launch date, and I’m sure much of the world will be watching as well.

#elon-musk, #nasa, #space, #spacex

Chris 3:37 pm on January 21, 2020
Tags: , , ,   

Seeking ColdFusion Systems Administrator

— This position has been filled. Thank you —

Seeking a ColdFusion Systems Administrator for CF Webtools. We are in Omaha, NE and are accepting both local and remote positions.

  • Yes, you may work from home, so pants are optional unless you are video conferencing.
  • Looking for folks legal to work in the US only. (sorry! We still love you world!)
  • Yes, the position is W2 with full benefits. PTO, healthcare, IRA, dental, vision, disability, life, and a positive, encouraging environment.
  • Our operations group consists of 4 team members so far.
  • They spend their days fixing, migrating, managing and upgrading servers.
  • AWS is involved in about 80% of what we do.
  • You will need to be able to find memes that appropriately obscure as inside jokes among your team members.
  • They are on call 24×7. We rotate out weekends and make sure you have enough “you and family time”. But after-hours calls are very minimal. However, you will be responsible for some scheduled “late nighters” for upgrades and migrations. We try and keep your overall hours to about 40 hours a week average still.
  • Plenty to do. Lots of scrambling. Lots of appreciative customers and developers who will see you as a savior if you can fix their problem.

We are looking for someone experienced in ColdFusion. Perhaps you are a CF developer looking to change it up or you are already experienced in JVM tuning, lockdowns and such. This job will involve managing servers (this is not a help desk job) – provisioning, migrating code, upgrading the OS and more. On the ColdFusion side you’ll be handling complex troubleshooting, upgrades, updates, installations and more. But don’t get too hung up on only ColdFusion. We also touch other technologies such as WordPress, Python, PowerShell, MS SQL, My SQL, NoSQL and more. Below are some of the technologies we use and you will need to work with. To qualify, you should know more than a few of these:

  • Linux – For this job you probably need more than just a passing knowledge of Linux. You should be fluent in Linux administration. If you’ve set up some distros, used YUM or other package managers, know how to find stuff on a Linux box etc. you are probably qualified. But the more the better!
  • Windows Server – We have a high percentage of Windows servers. Operations manages backups, patching, migrating, upgrading etc.
  • AWS – about 70% of our managed stack is AWS. If you apply for this job you will be expected to eventually test for an associate certification. Training (online Udemy) and testing are paid for, but you must put in the work to get there. Just like college, except more fun!
  • Java/Tomcat – Our primary stacks invariably include Tomcat/JVM. If words like garbage collection, heap, context, web connectors etc. seem familiar you are on the right track.
  • Networking – you should know your way around a network stack, be familiar with firewall rules, IP addressing, NAT etc.
  • Troubleshooting – you should understand how to troubleshoot issues that arise from CPU, memory or disk constraints and performance.
  • DNS – you should understand DNS zones and record types, how they work, and how to modify them.
  • Web Servers – You should understand how to set up a website in one or both Apache and IIS.
  • Email Servers – We manage several email servers or email relays.
  • Jenkins – More of a “nice to have”. We deploy code through Jenkins from SVN or Git. Ops manages deployments.
  • Nagios (network monitoring) – Also a “nice to have”. We use Nagios to manage an array of uptime alerts from external and internal customers.

About CF Webtools

We are not a staff augmentation company trying to find someone to fling out to a spot in hopes they stick. While you work with customers, we care about developers and work culture. We intend to know you and support you. We strive to create a workplace you enjoy. We are looking for IT specialists that match our culture of Can-do, Caring, Communication and Competency. Here’s some items that you need in order to fit in here.

  • Yes, you will be exposed to ______ (windows/mac) even if you are religiously devoted to ________ (windows/mac). We don’t make the rules.
  • You should be able to work with SVN or GIT and sometimes other source control products.
  • You should maintain positive attitude – We interact with respect and gentle humor. Snark is minimized and encouragement is the order of the day. If you are quirky and self-deprecating that will be a plus and you will love it here.
  • You should maintain and enhance your skills set – you will be given the opportunity to work on lots of code, different versions, platforms, integrations, libraries and SDLC organization and procedure. Every one of these is a growth opportunity. If that has you licking your chops climb aboard.
  • We like balance – Our staff have a full life. They ride horses, snowshoe, skydive, sword fight, play instruments, love dogs, golf, learn languages, rear children, go to plays, like to bake, fish, hunting, equestrian sports, skydiving, guitar playing, dog training, macramé, Golf, racquetball, Mandarin, politics (careful!), family outings, school plays, choirs, baking, snowshoeing, ice fishing, hunting, aquaponics, mudding, and the list goes on. We love it all! We think those things make you a better team member and it makes us want to be around you.

Hopefully this helps explain how we operate enough to pique your interest. If you want to take a shot send your resume to jobs@cfwebtools.com or call (402) 408-3733 ext 109 and ask for Chris. You can try extension 105 and ask for the Muse, but you must get past Rachel so be creative! We look forward to hearing from you!

#career, #cf-webtools, #coldfusion-application-server, #job

Chris 4:00 pm on September 17, 2019
Tags: RDP,   

Windows 10 RDP Freezing

While connected to remote Windows machines via RDP in Windows 10, the connection freezes after x amount of minutes. Pretty often.

The resolution was to disable UDP.

  1. Run gpedit.msc.
  2. Navigate to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client.
  3. Set the “Turn Off UDP On Client” setting to Enabled.

This seems to have appeared when I upgraded to Windows 10 Pro 1903, though my RDP isn’t used very often from this machine. I’ve also seen issues on forums dating back to 1809. You can check your version by going to settings > about.

I noticed that I wasn’t getting kicked off anymore, but the quality of the screen went down, like everything became less crisp or fuzzy.

I have read that using a RD Gateway forces MSTSC to use TCP connections (or TCP/HTTPS) which disables the UDP sessions as well.

Update 1/21/2020:

I read that this was an issue with the graphics card drivers. I updated the drivers on my client, but that didn’t help.

I then moved on to MobaXterm, which I probably should have done long ago. Not only did it solve my issue, but the organization is great and supports far more than RDP. Examples are SSH, Telnet, FTP, SFTP, Serial, AWS S3 and more.

#rdp, #windows-10

Chris 2:17 pm on July 23, 2019  

How Amazon Uses Explosive-Resistant Devices To Transfer Data To AWS

When CF Webtools needs to migrate a large amount of data from on-premise to the cloud, we order one of these devices to do the job. What I didn’t know is they’re rated to be dropped out of an airplane and take on near-by explosions!

Chris 12:10 pm on March 21, 2019
Tags:   

Seeking Sys Ops Wizard!

Photo by Startup Stock Photos on Pexels.com

Want to come work for my team? Seeking a systems administrator, for web-based Linux and Windows infrastructure, to work on my Operations Team at CF Webtools.

  • Yes you work from home so pants are optional unless you are Skyping.
  • Looking for folks legal to work in the US only. (sorry! We still love you world!)
  • Yes the position is W2 with benefits after a short (30 day) trial period.
  • Yes benefits include health care.
  • Health Insurance won’t cover your calls to the Psychic hotline, but you might be able to use FSA for that.
  • Yes there are other benefits – 401k, dental, PTOs, disability, life insurance, and a positive, encouraging environment.
  • Our operations group consists of 3 team members so far.
  • They spend their days fixing, migrating, managing and upgrading servers.
  • AWS is involved in about 80% of what we do.
  • You will need to be able to find memes that appropriately obscure as inside jokes among your team members.
  • Plenty to do. Lots of scrambling. Lots of appreciative customers and developers who will see you as a savior if you can fix their problem.

While a knowledge of ColdFusion is not required it would be a plus. This job will involve managing servers and server instances (this is not a help desk job) – provisioning, migrating code, upgrading OS or Java. Below are some of the technologies we use and you will need to work with. To qualify you’ll need to know at least a handful of these.

  • Linux – For this job you probably need more than just a passing knowledge of Linux. You should be fluent in Linux administration. If you’ve set up some distros, used YUM or other package managers, know how to find stuff on a Linux box etc. you are probably qualified. But the more the better!
  • Windows Server – We have a high percentage of windows servers. Operations manages backups, patching, migrating, upgrading etc.
  • AWS – about 70% of our managed stack is AWS. If you apply for this job you will be expected to eventually test for an associate certification. Training (online Udemy) and testing are paid for, but you have to put in the work to get there.
  • Java/Tomcat – Our primary stacks invariably include Tomcat/JVM. If words like garbage collection, heap, context, web connectors etc. seem familiar you are on the right track.
  • Networking – you should know your way around a network stack, be familiar with firewall rules, IP addressing, NAT etc.
  • Troubleshooting – you should understand how to troubleshoot issues that arise from CPU, memory or disk constraints and performance.
  • DNS – you should understand DNS zones and record types, how they work, and how to modify them.
  • Web Servers – You should understand how to set up a website in one or both Apache and IIS.
  • Email Servers – We manage a number of email servers or email relays.
  • Jenkins – More of a “nice to have”. We deploy code through Jenkins from SVN or Git. Ops manages deployments.
  • Nagios (network monitoring) – Also a “nice to have”. We use Nagios to manage an array of uptime alerts from external and internal customers.

About CF Webtools

We are not a staff augmentation company trying to find someone to fling out to a spot in hopes they stick. While you work with customers, we care about developers and work culture. We intend to know you and support you. We strive to create a workplace you enjoy. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here’s some items that you need in order to fit in here.

  • You should be able to setup multiple local environments on your own dev workstation. You should know words like “Apache” or “IIS”. Yes you will be exposed to ______ (windows/mac) even if you are religiously devoted to ________ (windows/mac). We don’t make the rules.
  • You should be able to work with SVN or GIT and sometimes other source control products.
  • You should Maintain positive attitude – We interact with respect and gentle humor. Snark is minimized and encouragement is the order of the day. If you are quirky and self-deprecating that will be a plus and you will love it here.
  • You should Maintain and enhance your skills set – you will be given the opportunity to work on lots of code, different versions, platforms, integrations, libraries and SDLC organization and procedure. Everyone of these is a growth opportunity. If that has you licking your chops climb aboard.
  • We like Balanced Developers – Our devs have a full life. They ride horses, snowshoe, skydive, sword fight, play instruments, love dogs, golf, learn languages, rear children, go to plays, like to bake, fish, hunting, equestrian sports, skydiving, guitar playing, dog training, macramé, Golf, racquetball, Mandarin, Politics (careful!), family outings, child rearing, school plays, choirs, baking, snowshoeing, ice fishing, hunting, aquaponics, mudding, and the list goes on. We love it all! We think those things make you a better developer and it makes us want to be around you. We aren’t looking for 80 hour a week developers slavishly devoted to coding. We are looking for eclectic, interesting people who enjoy coding and want to do it for a living.

Hopefully this helps explain how we operate enough to pique your interest. If you want to take a shot send your resume to jobs@cfwebtools.com or call (402) 408-3733 ext 126 and ask for the Kurt. You can try extension 105 and ask for the Muse, but you have to get past Rachel so be creative! We look forward to hearing from you!

#job