azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4886c8cc2a0762bdb1ca55d44284e2c090031bfe
claudetools/session-logs/2026-04-17-session.md
Mike Swanson e695743149 Session log: Cascades vault fix, Ollama Tailscale sharing, Howard review 
Fixed Cascades pfSense password in vault (a6A6c6fe→Th1nk3r^99, moved from
dataforth to cascades-tucson). Ollama exposed via Tailscale for Howard
(100.92.127.64:11434, firewall restricted to 100.0.0.0/8). Reviewed
Howard's first full day of work on shared system.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 13:09:29 -07:00

218 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Session Log — 2026-04-17
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
- **Mode:** client/infra (mixed)
## Session Summary
Full day of client security work + infrastructure + tooling. Major items: Jupiter OwnCloud migration confirmed complete, Glaztech phishing incident (32 messages purged, MX/DMARC/EFC hardened), MVAN DMARC added, Syncro PSA integration built, GoDaddy API onboarded, jparkinson DNS fixes, Neptune access issues.
## Work Completed
### 1. Jupiter OwnCloud migration — confirmed complete
- rsync finished at 22:59 MST (2h49m total for ~750G uncompressed)
- Cache dropped from 82% (756G) to 34% (311G)
- MariaDB-Official + Discourse running healthy 7+ hours post-migration
- OwnCloud VM running, share config changed to `shareUseCache="no"`
### 2. Glaztech phishing incident — full remediation
**Two phishing campaigns bypassing MailProtector via exposed M365 MX record:**
Campaign 1: "ATTN: MaiIbox Password Login Expire" (spoofed alexander@, from 23.94.30.18 ColoCrossing)
Campaign 2: "HR Paperwork Awaiting Completion Approval" (spoofed enrique@, from 86.38.225.18)
Both: SPF FAIL, DKIM none, DMARC FAIL (p=none), SCL 1 (M365 didn't flag), connected directly to MX 10 bypassing MailProtector.
**Actions taken:**
- Removed MX 10 (glaztech-com.mail.protection.outlook.com) from DNS on IX
- Updated DMARC from p=none to p=reject
- Enabled Enhanced Filtering for Connectors (EFSkipIPs: MailProtector IPs)
- Purged 32 messages across 8 mailboxes (alexander, seastman, dominic, jack, bryce, cesar, daryld, holly)
- Saved forensic .eml + .json samples
- Onboarded Glaztech to remediation tool (admin consent + Exchange Admin role)
- Syncro ticket #32165 created + billed
**Glaztech tenant:** 82931e3c-de7a-4f74-87f7-fe714be1f160
**Remediation tool roles:** Exchange Administrator assigned to ComputerGuru - AI Remediation SP
### 3. MVAN phishing — DMARC added
- mvaninc.com had NO DMARC, NO MailProtector, direct M365 MX only
- Added DMARC p=reject via GoDaddy web GUI (delegate access from MVAN)
- Syncro ticket #32166 created with notes to client about MailProtector add-on option and other domains needing protection
- MVAN tenant: 5affaf1e-de89-416b-a655-1b2cf615d5b1 (already consented for remediation tool)
### 4. /syncro command — Syncro PSA integration
Built `/syncro` slash command for ticket management via Syncro REST API.
**Key discovery:** Time is added as part of the comment, NOT via separate timer endpoint.
- `POST /tickets/{id}/comment` with `product_id`, `minutes_spent`, `bill_time_now` fields
- Timer entries (`/tickets/{id}/timer_entry`) exist but rarely used
- Invoice creation: `POST /invoices` with `ticket_id` + `customer_id`
- Invoice line items: `POST /invoices/{id}/line_items`
**Labor product IDs:**
- 1190473 — Labor - Remote Business
- 26118 — Labor - Onsite Business
- 26184 — Labor - Emergency or After Hours Business
- 9269129 — Labor - Prepaid Project Labor
- 9269124 — Labor - Internal Labor
- 26117 — Fee - Travel Time
- 68055 — Labor - Website Labor
**Glaztech billing:** Prepaid Hours - Block (product 46303) at $130/hr, 40hr blocks
### 5. GoDaddy API — onboarded
- Created Production API key "RemediationTools"
- Vaulted at `services/godaddy-api.sops.yaml`
- Can manage DNS for ACG-owned domains programmatically
- Delegate domains (client-managed) only accessible via web GUI, NOT API
- MVAN delegated access accepted but API still returns 403 (known GoDaddy limitation)
### 6. jparkinsonaz.com DNS fixes
- Added DMARC: `p=reject; sp=reject`
- Added autodiscover: CNAME → mail.acghosting.com
- Changed A record: 72.194.62.7 (IX) → 67.206.163.124 (Neptune) — mail-only domain, no website
- Required `pdns_control reload` after zone file edits (regular PowerDNS restart not sufficient)
- Required `/usr/local/cpanel/scripts/dnscluster synczone` for cluster propagation
- Serial format: epoch-based (NOT YYYYMMDDNN) — use incrementing epoch or zone check fails
- Neptune certbot for autodiscover failing — likely DNS propagation delay (14400s TTL on old A)
### 7. desertrat.com DNS audit
- MX: mail.desertrat.com → 162.248.93.81 (ACG WebSvr/NFOservers VDS, NOT MailProtector)
- SPF: includes spf.wdsolutions.com (WD Solutions/SmarterMail), uses ~all (softfail)
- DMARC: MISSING
- DNS: AWS Route 53 (not IX or GoDaddy)
- Needs: DMARC p=reject, SPF ~all → -all, eventual migration to IX + MailProtector
- Recommended SPF with MailProtector added: `v=spf1 +a +mx +ip4:162.248.93.233 +ip4:162.248.93.81 +include:spf.wdsolutions.com +include:spf.us.emailservice.io -all`
### 8. Neptune password reset — failed
- Attempted to set jparkinson password to `jP$48504850` on Neptune (jparkinsonaz.com domain)
- Neptune at 67.206.163.124 (public) / 172.16.3.50 (internal)
- WinRM from AD2 failed (Kerberos cross-domain), direct WinRM from workstation failed (Negotiate auth error)
- Internal IP 172.16.3.50 has RDP + WinRM open but auth failed
- May have caused account lockout — user handling via separate Claude session on Neptune directly
- ACG\administrator creds: `Gptf*77ttb##`
## Credentials
### GoDaddy API (Production)
- Key: `2wXWWFcuYk_2RGxdvpe1WZV2yPMvNLGEe`
- Secret: `5pQZs7H9WY7dwh59XsJMNr`
- Auth header: `Authorization: sso-key 2wXWWFcuYk_2RGxdvpe1WZV2yPMvNLGEe:5pQZs7H9WY7dwh59XsJMNr`
- Vault: `services/godaddy-api.sops.yaml`
### Syncro PSA
- API Key: `T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3`
- Base: `https://computerguru.syncromsp.com/api/v1`
- Vault: `msp-tools/syncro.sops.yaml`
### Glaztech M365
- Tenant ID: `82931e3c-de7a-4f74-87f7-fe714be1f160`
- Remediation tool consented + Exchange Admin role assigned
### MVAN M365
- Tenant ID: `5affaf1e-de89-416b-a655-1b2cf615d5b1`
- Already consented for remediation tool
### Neptune
- Public: 67.206.163.124
- Internal: 172.16.3.50
- Creds: `ACG\administrator` / `Gptf*77ttb##`
- jparkinson target password: `jP$48504850`
### IX server
- 172.16.3.10, root, `Gptf*77ttb!@#!@#`
- PowerDNS, cPanel, zone files at `/var/named/`
- Cluster sync: `/usr/local/cpanel/scripts/dnscluster synczone <domain>`
## DNS Changes Made Today
| Domain | Record | Before | After | Server |
|---|---|---|---|---|
| glaztech.com | MX 10 | glaztech-com.mail.protection.outlook.com | REMOVED | IX |
| glaztech.com | _dmarc TXT | p=none | p=reject; sp=reject | IX |
| mvaninc.com | _dmarc TXT | (missing) | p=reject; sp=reject | GoDaddy (web GUI) |
| jparkinsonaz.com | _dmarc TXT | (missing) | p=reject; sp=reject | IX |
| jparkinsonaz.com | autodiscover | (missing) | CNAME mail.acghosting.com | IX |
| jparkinsonaz.com | A (root) | 72.194.62.7 (IX) | 67.206.163.124 (Neptune) | IX |
## IX DNS gotchas (learned today)
1. **`pdns_control reload <zone>`** needed after zone file edits — full PowerDNS restart doesn't always pick up changes
2. **Serial format varies** — some zones use epoch (1776xxxxxx), some use YYYYMMDDNN. New serial must be HIGHER than old or changes are ignored.
3. **DNS cluster sync** required: `/usr/local/cpanel/scripts/dnscluster synczone <domain>` — editing zone files directly doesn't trigger cluster propagation
4. **Zone file backups** at `/var/named/<domain>.db.bak-YYYYMMDD`
## Syncro tickets created
| # | Customer | Subject | Time | Status |
|---|---|---|---|---|
| 32165 | Glaz-Tech Industries | Email Security - Phishing remediation + MX/DMARC hardening | 1hr (timer, not comment — needs fix) | Invoiced |
| 32166 | MVAN Enterprises Inc | Email Security - DMARC protection added for mvaninc.com | 30 min Remote Business | Resolved |
## Files created/modified
- `clients/glaztech/reports/2026-04-17-phishing-incident-report.md`
- `clients/glaztech/reports/2026-04-17-phishing-ATTN-mailbox-password.eml`
- `clients/glaztech/reports/2026-04-17-phishing-ATTN-mailbox-password.json`
- `clients/glaztech/reports/2026-04-17-phishing-HR-paperwork.eml`
- `clients/glaztech/reports/2026-04-17-hr-paperwork-*.json`
- `.claude/commands/syncro.md` (new)
- `D:\vault\services\godaddy-api.sops.yaml` (new)
## Pending
1. **Neptune jparkinson password** — being handled in separate Claude session on Neptune
2. **desertrat.com** — needs DMARC + SPF hardening on Route 53 (need AWS access)
3. **desertrat.com** — long-term migration from WebSvr to IX + MailProtector
4. **Glaztech ticket #32165** — timer entry created wrong (should be comment+time); fix or rebill in Syncro GUI
5. **jparkinsonaz.com certbot** — retry once A record propagates (14400s TTL from old IP)
6. **MVAN other domains** — only mvaninc.com has DMARC; client has other domains needing protection
7. **GoDaddy delegate API limitation** — can't manage delegate domains via API; need client's own API key for programmatic DNS
8. **All carry-over items from 2026-04-16** (Howard onboarding, GuruRMM migration drift, Len's deployment, etc.)
---
## Update: 13:00 — vault fix, Ollama Tailscale, Howard review
### Cascades pfSense vault fix
- Deleted stale `clients/dataforth/cascades-router.sops.yaml` (wrong password `a6A6c6fe`, misfiled under dataforth)
- Created `clients/cascades-tucson/pfsense-firewall.sops.yaml` with correct password `Th1nk3r^99`
- Howard caught the discrepancy during Cascades onsite work
### Ollama shared via Tailscale
- Set `OLLAMA_HOST=0.0.0.0:11434` (User env var, persists)
- Added Windows Firewall rule: port 11434 inbound, restricted to 100.0.0.0/8 (Tailscale subnet only)
- Verified: `http://100.92.127.64:11434/` → "Ollama is running" via Tailscale IP
- All 3 models accessible remotely (qwen3:14b, codestral:22b, nomic-embed-text)
- CLAUDE.md updated: per-machine URL detection (localhost for DESKTOP-0O8A1RL, Tailscale IP for all others)
- ONBOARDING.md updated: Howard doesn't need local Ollama install
### Howard's session reviewed
- Cascades: folder redirection (primary computer GPO issue) + WiFi (TP-Link USB driver + UniFi roaming)
- EVS: Win11 right-click menu fix (was actually Mike's session, miscategorized)
- Vault hygiene: caught wrong Cascades pfSense password — fixed above
- Ollama: his ARM64 laptop can't run models locally — resolved via Tailscale sharing
### jparkinsonaz.com DNS (continued)
- IX DNS cluster sync required after zone edits: `/usr/local/cpanel/scripts/dnscluster synczone jparkinsonaz.com`
- `pdns_control reload` needed on top of PowerDNS restart for zone changes to take effect
- Certbot for autodiscover should work once root A record TTL (14400s) expires and propagates to 67.206.163.124
### Credentials (this update)
#### Cascades pfSense
- Host: 192.168.0.1
- Username: admin
- Password: `Th1nk3r^99`
- Vault: `clients/cascades-tucson/pfsense-firewall.sops.yaml`
#### Ollama Tailscale access
- Mike's Tailscale IP: 100.92.127.64
- Ollama URL: `http://100.92.127.64:11434`
- Firewall: inbound TCP 11434 from 100.0.0.0/8 only
- Env var: `OLLAMA_HOST=0.0.0.0:11434` (User scope on DESKTOP-0O8A1RL)
Reference in New Issue View Git Blame Copy Permalink