r/SysAdminBlogs

Ssl cert renewal every 200days

Hi
Our dns for all my domains is cloud flare
Ssl certificate we buy from NAMECHEAP
but now I need to renew one of my wildcard cert
For about 30 servers .
It’s possible to do it automatically?
Without connect each server every 200 days?

reddit.com
u/Agreeable-Square-615 — 15 hours ago
▲ 35 r/SysAdminBlogs+1 crossposts

Wasting A Small Fortune In Microsoft 365

Long story short, I had a client say, "We have more M365 licensed users than employees. Please help us find them."

It took me about a week to find all the waste (first time always takes forever). Now I've run the same steps for a dozen other clients (takes less than an hour now). On average, I've been able to save clients 22% of their budget.

Thought I'd share exactly how I do it.

There are 5 areas of waste in Microsoft 365:

  1. Remove licenses from disabled users.
  2. Remove licenses from inactive users.
  3. Downgrade licenses on over-licensed users.
  4. Stop paying for unassigned licenses.
  5. Redefine the license terms.

NOTE: I have the steps using the admin center, PowerShell, and a third-party app, but it's too long to re-post in Reddit. Go to Microsoft 365 License Audit to see all the steps.

Find Disabled Users

  1. Log in to the Microsoft 365 admin center.
  2. Users > Active Users > Export > Continue.
  3. Open the spreadsheet.
  4. In the Home Ribbon, click Sort & Filter > Filter
  5. Click the dropdown in the Licensed column > uncheck Unlicensed > click OK
  6. Click the dropdown in the Block credential column > uncheck FALSE > click OK.

Find Inactive Users

NOTE: You need to either have a Microsoft Entra P1 license or use a third-party app to get this data.

  1. Open Microsoft Entra Admin Center
  2. Users > Manage view > Edit columns.
  3. Remove, replace, or add so the only columns you can see are: Display name, User principal name, User type, Identities, Assign licenses, and Last interactive sign-in time. Click Save.
  4. Click Download users > Start bulk operation
  5. Wait for the success pop-up message to appear, then click the notification bell at the top of the page. Under the notifications menu, click Success!, and then select the [report name].
  6. Open the downloaded spreadsheet.
  7. Click Sort & Filter > Filter to enable the column filters.
  8. Click the drop-down in the assignedLicenses column. Uncheck any empty options, i.e., []. Click OK.
  9. Click the drop-down in the signInActivity column. Click Sort A to Z.
  10. Any users who have an empty signInActivity or a sign-in that was over 30 days ago can be safely disabled, and the license removed after the data is properly secured.

Find Downgradable Users

  1. Review the report located on the website, then click Export.
  2. Open the CSV in Excel.
  3. Next, download the Microsoft 365 apps spreadsheet by going back to Reports > Usage and clicking View More located under “Active users - Microsoft 365 Apps”
  4. Review the report and click Export.
  5. You can start by deleting everyone that you’ve already determined hasn’t logged on or is currently disabled.
  6. Add the filter by clicking Sort & Filter in the home ribbon > Filter.
  7. Add a column for Current Licenses.
  8. Copy the licenses from the How To Use The Admin Center To Find Inactive Users spreadsheet you downloaded earlier into the new column. Be sure to align the user names in both spreadsheets.
  9. Add a column for Microsoft 365 Apps.
  10. Copy the Last Activity Date column from the Pro Plus Usage report you downloaded above in step 7 into the Office 365 app usage spreadsheet you’ve been using. Be sure to align the new data with the appropriate users in the Office 365 app usage report.
  11. For each of the following columns, click the drop-down next to the column name and filter out any logins that have happened in the last month.
  12. OneDrive Last Activity Date
  13. SharePoint Last Activity Date
  14. Skype For Business Last Activity Date
  15. Yammer Last Activity Date
  16. Team’s Last Activity Date
  17. Microsoft 365 Apps
  18. The users who have not been filtered out are excellent candidates for Exchange Online-only licenses. You may want to double-check their usage of other apps before making any license changes on their accounts.

Find Unassigned Licenses

  1. Open the Microsoft 365 admin center.
  2. Click Show All > Billing > Licenses.
  3. On that webpage, you’ll see a list of all your licenses in your organization, along with a column labeled “Available Licenses”.
  4. Any number above 0 in the Available Licenses column is typically safe to remove from your organization with two caveats. Some licenses aren’t assigned to users through the Microsoft 365 admin center.

NOTE: Some licenses are consumed as they are used. For example, additional storage licenses for SharePoint Online may show as available, but removing them will decrease the amount of free space available in SharePoint Online and possibly cause a disruption to SharePoint Online usage.

Redefine The License Terms

Microsoft adjusted its pricing model, charging different rates for the same license based on commitment terms, billing frequency, or sector-specific eligibility.

  • The subscription length
  • Billing Frequency
  1. Go to the Microsoft 365 admin center
  2. Click Billing > Licenses > Select the license you want to review.
  3. Click ellipsis (…) next to the subscription > Manage subscription settings.
  4. You can view the billing settings right on this page.
u/Huge-Shower1795 — 2 days ago
▲ 34 r/SysAdminBlogs+5 crossposts

eXo Platform 7.2 has been released : an open-source digital workplace with native AI, self-hosting support, and multi-LLM architecture

A new release of eXo Platform, an open-source digital workplace platform, is now available. It may be relevant to the self-hosted community here.

With version 7.2, the focus has been placed on three main areas:

• Native AI integration directly inside the platform (content management, knowledge access, collaboration, automation)
 • Multi-LLM architecture → use the AI models you choose (OpenAI, local models, private deployment, etc.)
 • Full deployment flexibility → cloud, private cloud, or fully on-premise/self-hosted

A few technical highlights:

• MCP server exposed via OAuth with access to 100+ platform tools for AI agents
 • Internal RAG connected to organizational knowledge bases
 • Ability to restrict/contextualize AI sources (documents, spaces, tasks, notes…)
 • AI assistants that can be customized for specific internal workflows
 • Open-source architecture designed for organizations requiring data sovereignty

The goal is simple: integrate AI into everyday work without forcing organizations into closed SaaS ecosystems.

Feedback from people building self-hosted alternatives in this space is welcome.

Curious how others here are approaching AI + self-hosting.

eXo offers:

  • Community Edition (CE) → Fully Open Source
  • Enterprise Edition (EE) → additional features & professional support

Both can be deployed self-hosted, in private cloud, or in secure environments (including SecNumCloud).

u/jaouanebrahim — 3 days ago
▲ 28 r/SysAdminBlogs+1 crossposts

SEZOY - Multi‑boot USB + PXE/HTTP + Windows install

Hey folks,

This tool called SEZOY and figured it's worth sharing. It's basically a boot utility that does USB, PXE, and HTTP booting, but the main selling point is that it can install Windows completely hands‑off. No clicking through language settings, disk selection, partition deletion, or messing with RST drivers. It just figures everything out on its own based on whatever hardware it detects. You don't need to pre‑load storage drivers, wipe old partitions manually, or babysit the installer.

Here's what it does:

· USB boot works like the usual multi‑ISO approach, copy your ISOs to the drive and boot straight from them. No burning, no reformatting for each ISO, no manual menu editing. Simple. Just keep in mind that this mode needs SecureBoot turned off.

· Network boot supports both PXE and HTTP at the same time. No toggling between modes. If you run a shop with mixed clients, this saves a lot of headache.

· SecureBoot works fine if you're booting over the network, as long as the OS itself supports it. Most mainstream ones do Windows, Ubuntu, Mint, Fedora, and their derivatives.

· There's a web dashboard you can access from any device on the same network. Lets you check on clients remotely during installation, kind of like TeamViewer but lighter. You can step in without walking over to the machine.

· After Windows is done, you can set it to automatically install additional software. Pick whatever apps you want during setup, and it'll handle the rest.

Still has a bunch of other stuff I haven't listed yet.

If you've got a spare moment, grab it from the links below and let me know what you think.

One thing to be clear about, this tool doesn't bundle any cracks or keys. It just creates the boot environment. Anything that needs activation afterward is on you to handle legitimately.

Download: https://tekdt.xyz/en/download

Docs: https://tekdt.xyz/en/docs

u/TekDT — 3 days ago
▲ 8 r/SysAdminBlogs+2 crossposts

Vigil – Lightweight Linux server monitoring that runs on Cloudflare Workers

I got tired of either paying per-host for hosted monitoring or standing up a Prometheus/Grafana/node_exporter stack just to watch a handful of small servers. So I built Vigil.

The idea: you don't run any monitoring infrastructure yourself. The backend is a Cloudflare Worker with D1 for storage and KV for state, plus a 1-minute cron for alerting. So it scales to zero and costs nothing on the free tier for a small fleet. The agent is a single Python file using only the stdlib (no pip install), managed by systemd. The dashboard is a React SPA on Cloudflare Pages.

github.com
u/vehbiemiroglu — 4 days ago
▲ 2 r/SysAdminBlogs+2 crossposts

What's the difference between controlling web traffic and securing it?

A proxy is designed to forward and manage web traffic.

A Secure Web Gateway goes further by:

  • Blocking malicious and risky websites
  • Enforcing acceptable use policies
  • Protecting remote users
  • Providing visibility into web activity

As organizations embrace hybrid work, that extra layer of protection becomes essential.

Differences in detail here👉 Secure web gateway vs Proxy

u/Academic-Soup2604 — 5 days ago
▲ 7 r/SysAdminBlogs+4 crossposts

Socket-Activation for a Go HTTP service on MS Windows with IIS + ASP.NET Core "Out-Of-Process" hosting.

ASP .NET's out of process hosting (from the .NET Hosting Bundle) can be used with any web service, not just those written for/with a .NET language. Here's an example how to use it with a static Go executable that exposes a simple web service.

poweruser.blog
u/_jindo_ — 6 days ago
▲ 20 r/SysAdminBlogs+3 crossposts

Jabali Panel: Open-source GPL web hosting panel now with Docker support

Hi everyone,

I’m building Jabali Panel, a free and open-source web hosting control panel for Debian servers.

The project is still young, but the community is slowly growing, and I’m now looking for testers and early users who want to try it, give feedback, report bugs, and help shape the direction of the panel.

Jabali now also supports Docker, so it can be used not only as a traditional web hosting panel, but also as a standalone Docker proxy server, mail server, DDNS server, DNS server, and more — depending on what you want to run.

It’s focused on WordPress hosting, small hosting providers, freelancers, and sysadmins who want a modern self-hosted alternative without license fees or vendor lock-in.

For testers who seriously try the panel and give feedback, I’ll provide full support during the testing period to help with installation, setup, issues, and questions.

GitHub: https://github.com/shukiv/jabali-panel

Demo: https://demo.jabali-panel.com

Thanks — any feedback, testing, or GitHub issues would help a lot.

u/apunker — 9 days ago
▲ 125 r/SysAdminBlogs+3 crossposts

Learning Infrastructure as Code in Azure with Terraform

I've been sharing Azure and Cloud Engineering content here for the past 8 months. Most of that content focused on PowerShell and automation across Azure, Entra ID, and Microsoft 365 (21 hours worth so far!).

While doing that, I intentionally avoided going too deep into deploying Azure services because I wanted to dedicate a separate series to Infrastructure as Code in Azure.

I'm kicking off that series today with Terraform for Azure Beginner Episode focused on understanding the foundations of Terraform and how it interacts with Azure.

Topics covered include:

• Theory behind Terraform (Infrastructure as Code, Declarative Languages, why Terraform exists)

Terraform CLI (Init, Plan, Apply, Destroy)

Terraform Blocks (Terraform, Providers, Resources, Variables, Locals, Data, Outputs)

Terraform State (Including Drift Detection, and State-related Gotchas especially with secrets)

And more (Terraform Order of Operations, Variable Precedence, Data Types, etc)

The goal is to understand the core concepts that make Terraform work before moving into more advanced topics. Over time I plan to build this series toward how Azure Cloud Engineers actually deploy, manage, and operate Azure environments today through Infrastructure as Code.

Beginner Episode: Understand Terraform (learn the foundations and core concepts that make Terraform work)

Intermediate Episode: Program Terraform (use loops, functions, conditionals, dynamic blocks, etc.)

Advanced Episode: Scale Terraform (introduce modules, remote state, workspaces, imports, etc.)

Professional Episode: Operationalize Terraform (use GitHub, CI/CD, pull requests, state management, and deployment workflows to work in a team environment)

Solution Episode(s): Build Azure Projects (We'll pretend to take assignments from Cloud Architects and design, deploy, and manage complete Azure solutions using Terraform)

Link to Episode: Terraform for Azure | Beginner Course - Youtube

u/AdeelAutomates — 12 days ago
▲ 118 r/SysAdminBlogs+9 crossposts

Conduit: free, open source SSH/Mosh/SFTP client for Android and iOS with YubiKey/FIDO2 hardware key support

I built a free, open source SSH/Mosh/SFTP client for Android and iOS that supports YubiKey and other FIDO2 hardware keys over USB and NFC.

Auth works for both ed25519-sk and ecdsa-sk credentials via CTAP2. USB and NFC on Android, NFC on iOS. Works in both terminal and SFTP flows. Agent forwarding is supported too, so your YubiKey can authenticate onward hops without copying keys to remote machines. You'll be prompted to tap for every signature, same as a normal connection.

No account, no subscription, no cloud sync, no analytics, no paid features. Everything stays on device.

F-Droid: https://f-droid.org/packages/com.gwitko.conduit/

GitHub: https://github.com/gwitko/Conduit

App Store: https://apps.apple.com/app/id6780054869

Play Store is coming soon. If you want early access, join the beta: https://play.google.com/apps/testing/com.gwitko.conduit (you'll need to join this group first: conduit-closed-test@googlegroups.com)

I would really appreciate feedback from the yubikey community on my integration of the auth flow with the hardware keys. Note that the flow is a bit different on android and ios.

EDIT to join group go here: https://groups.google.com/g/conduit-closed-test

u/gwitko — 13 days ago
▲ 67 r/SysAdminBlogs+1 crossposts

Finally - the new Microsoft Entra Connect v2.6.79.0 is just released!

Finally - the new Microsoft Entra Connect v2.6.79.0 is just released!

This blog post has been in the works for quite some time, and finnaly I can publish it! It have also been a fun experience collaborating with the product team behind it at Microsoft again again!

It contains also some undisclosed security fixes, and Microsoft also recommends updateing it soon as possible.

On the other side, it finally introduces support for FIDO2-based authentication - a feature many have been waiting for! 🔒

In my latest blog post here: https://blog.sonnes.cloud/microsoft-entra-connect-sync-passwordless-authentication-now-supported/ I take a deep dive into how it works and what you need to know - and sorry for the length of the article, but it includes some great insights from the development process, along with bugs, fixes, and discoveries I encountered along the way - you all know me, #TheBugHunter 😂

Take a look at the blog and learn more about this exciting update!

#Microsoft #EntraID #Identity #Security #TheHubHunter #EntraIDConnect #Updates #Passwordless #FIDO2 #IdentitySecurity #ZeroTrust #Microsoft365 #HybridIdentity #ITPro #Cloud #MVP #MVPBuzz

u/michaelmsonne — 13 days ago
▲ 20 r/SysAdminBlogs+1 crossposts

Sharing a free web tool that diffs GPO backups, in case it's useful here

Figuring out what actually changed between two GPOs is a pain, so I made a web tool that does exactly that. You drop in 2 to 5 GPO backups and it shows the differences side by side.

It takes a backed-up GPO folder (or its ZIP), a Get-GPOReport XML, or a Get-GPOReport HTML, with search, collapsible categories, and export to CSV/Markdown/HTML for tickets or change docs.

It runs entirely in your browser and nothing gets uploaded.

It lives here, alongside an ADMX policy viewer I also run: https://admscope.com

Free, no login. If you hit a bug or have a feature you'd like to see, let me know.

Edit: You can also use it to just look inside a single backup - load one, remove the second slot, and you get a clean, searchable view of that GPO on its own.

u/admscope — 10 days ago
▲ 18 r/SysAdminBlogs+2 crossposts

Socket-Activation for a Go HTTP service on Linux with systemd

systemd on Linux can run your Go webapp only when it actually receives requests. With this, your Go executable will start with the first request it receives - and that first request will succeed. A lightweight alternative to running your service permanently in the background. And maybe also an alternative to deploying local web apps to Desktop systems with something heavy like Electron.

poweruser.blog
u/_jindo_ — 12 days ago
▲ 17 r/SysAdminBlogs+7 crossposts

Dismantling FortiBleed: We found the Russian operation turning FortiGate firewalls into passive credential vacuums (110M+ creds harvested) 🚨

If you manage Fortinet gear, grab a coffee. You're going to need it. ☕

Our Threat Research team just published a massive teardown of a Russian compromise operation we’re tracking as FortiBleed. Active since at least February 2026, these threat actors aren't just doing simple smash-and-grabs—they’ve built a highly automated, industrialized credential-harvesting machine.

There is a special kind of irony when your firewall is the exact thing stealing your data. Here is the TL;DR of what we found under the hood:

  1. The Weapon: A custom Golang tool called "FortigateSniffer". It literally turns compromised firewalls into passive collectors, sniffing traffic across 24 different authentication protocols.
  2. The Scale: Over 430,000 FortiGate firewalls targeted. They ran 659+ harvest cycles, exposing over 110 million credentials (including RADIUS, NTLM, and Kerberos material).
  3. The Infrastructure:They aren't playing around. We mapped an isolated Kali VM lab, Hashtopolis and Hashcat GPU clusters, and rented vast(.)ai capacity used to crack hashes at scale.
  4. The Victims: The dominant profile is IT services and SMBs (under 200 employees), but they also successfully breached and exfiltrated DFS data from a NATO-aligned defense contractor.

We’ve broken down the complete 5-stage attack chain—from initial recon and brute-force to harvesting, cracking, and exfiltration.

We also dropped all the IoCs and defensive recommendations so you can set up timely alerts and mitigate risks before your network becomes a statistic.

Dive into the full teardown to help strengthen your security posture: https://hubs.la/Q04mc0fJ0

Stay sharp out there. Let us know what you think of the attack chain in the comments. 👇

reddit.com
u/socradario — 13 days ago
▲ 1 r/SysAdminBlogs+1 crossposts

The Vercel Breach wasn't just "token theft" - it was an identity architecture problem. Here’s why.

Everyone is calling the Vercel breach a "third-party token theft" incident. While technically true, that misses the root cause: the unmanaged trust relationship. The attacker didn't breach Vercel directly. They breached an unapproved consumer AI tool (Context.ai) that an employee had granted broad Google Workspace OAuth permissions to. That single click created a trusted bridge straight into Vercel’s corporate environment.

The real issue - most security teams try to detect the blast radius after the token is stolen. By then, you're already losing... The actual control point is the moment of adoption.

To stop this, the workflow needs to change:

  • Discover at the Browser: Traditional network logs and API scans miss consumer AI tools. Discovery has to happen at the browser level, during the actual login interaction.
  • Inline Gating: You have to block or route the login for approval before the user clicks "Allow All" on the OAuth consent screen.

If the OAuth grant is never created, the vendor never holds a corporate token. If they don't hold the token, a downstream compromise of that vendor leaves attackers with a dead end.

We wrote a full architectural breakdown on how to flip this workflow from reactive detection to proactive lifecycle management using Unixi’s browser-level governance.

Read the full breakdown here: https://unixi.io/blog/shadow-ai-governance-part-2-vercel-breach

How is everyone else handling shadow AI OAuth grants right now? CASB, MDM blocks, or just praying users actually read the consent screens?

u/UnixiSecurity — 11 days ago
▲ 3 r/SysAdminBlogs+2 crossposts

Is your remote access helping your team move faster or slowing them down?

For IT teams, the best remote desktop software isn’t just about access, it’s about control, speed, and reliability.

From troubleshooting user issues to managing systems across locations, the right tool can make the difference between quick resolution and hours of back-and-forth.

But not all solutions are built the same.
Things that actually matter:

  • Stable connections (no random drops)
  • Secure access with proper authentication
  • Easy deployment and minimal user friction
  • Centralized visibility for IT teams

Because when something breaks, IT doesn’t have the luxury of “try again later.”

u/Academic-Soup2604 — 12 days ago