Thickheaded Thursday - December 25, 2025

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1pva79d
@r_systemadmin

Merry Christmas to all on-call & on-site today

From someone on-site today, may the phones, emails and apps stay quiet today

https://redd.it/1pvd451
@r_systemadmin

When did you fix something, but you're not really sure why it worked?

It was back when I was VERY junior and working as a lab assistant in a college computer lab in the mid 90s. We'd just gotten on the internet so we had to re-ip everything (NAT wasn't a thing yet, each workstation had a real IP on the internet). The guy who ran the lab re-ip'd our SunOS workstations, and the next day, only one of them worked, the rest did not. For what it's worth the one that worked had it's own disk, the ones that did not were diskless and booted over the network via TFTP.

Being very green and having a couple of years of computer science under my belt, I started poking around and found a directory with a bunch of hexadecimal named files. Having seen hex many times I noticed that the numbers in the filenames were the same as the old IP addresses. So I copied them to a bunch of new files with the new IPs. I rebooted a dead workstation and it came to life, so I did the rest!

I now know why it worked, having learned it all since, but at the time I was still very unsure how I got it to work, just that making some of the numbers match up did the trick.

https://redd.it/1pvg3qw
@r_systemadmin

Microsoft Authenticator App

Recently I’ve been getting login attempt notifications in the Microsoft Authenticator app, which got me all paranoid because I thought you had to know the password before it will prompt for MFA.

However, if you go to Microsoft and login with your email. It will prompt you for the app, bypassing the password entirely.

I realize I still need to select the proper number presented in the app to grant login, but can anyone explain to me how this isn’t a step backwards in security?

P.S. I’m not looking for tech support. I’m hoping to discuss this passwordless login method to see why it’s supposed to be a cybersecurity improvement. It doesn’t make sense to me.

https://redd.it/1pvjywa
@r_systemadmin

Fortigate vs Sonicwall

My company is currently using a Sonicwall and Aruba switches. I am set to replace it first half of 2026 along with a few switches (will be updating switches in waves). I have years of experience with both but wanted to hear some opinions on which you all prefer and why? I like and dislike things on both.

I am leaning towards going full on Fortigate with firewall and switches.

https://redd.it/1pvmnz1
@r_systemadmin

New year resolution- share yours

R/Management
Share yours

https://redd.it/1pvq05o
@r_systemadmin

unsafe-inline - how bad is it?

My devs unfortunately used inline noscripts a few times and so I have had to keep that in the nginx under Content-Security-Policy,

is that fine?

https://redd.it/1pvowbh
@r_systemadmin

Why IPv6 costs more to deploy with GCP and Vercel?

GCP shop plus Vercel.

GCP supports IPv6 networking in the premium tier only - https://docs.cloud.google.com/vpc/docs/ipv6-support
which is a lot more expensive.

Doing IPv6 on the edge load balancers and the rest with NAT64 is possible, but annoying as dual-stack would be easier.

Vercel says not to front itself with anything - https://vercel.com/kb/guide/cloudflare-with-vercel

But it also does not support IPv6. So one has to front it with Cloud flare to get IPv6 or something like that.

Are there any alternatives?

Why is it more expensive?

How to enable IPv6 for external clients without incurring huge costs - especially since all dual-stack clients might be preffering IPv6.

https://redd.it/1pvtuvr
@r_systemadmin

sharemouse alternative that supports linux != synergy

i use Sharemouse pretty much since day 1, the company basically picked up the synergy code and made it work, and this lasts until today, the software is clearly superior to the original, and well worth the price, however them being german, support usually turns into a ego nightmare, and well they have no linux client. synergy is still trash (especially on OSX)

anyone knows somethings that runs primary on OSX and Linux and has "some" windows support?

https://redd.it/1pvyeb2
@r_systemadmin

Weekly 'I made a useful thing' Thread - December 26, 2025

There is a great deal of user-generated content out there, from noscripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from noscripts and software to tutorials and videos.

We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!

In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.

https://redd.it/1pw0t2j
@r_systemadmin

What projects can I do outside my work as sysadmin?

Lately, work has started to take over my life. There’s always the next project, and in helping the company, I’ve forgotten to invest in myself.

I love sysadmin and tech, and I want to spend my time learning or building projects that could automate my home, save me money, or even earn extra income. The projects I’ve been doing at home are related to work, so I worry that if I change jobs, I’ll lose that .

I’ve thought about fine-tuning AI, hosting a local AI agent, or creating home services to cut costs, but there are so many possibilities that I’m not sure where to start.

With my sysadmin and generalist background, what projects could I start that improve my skills, have income potential, and are realistic to tackle without a huge learning curve?

I have tried coding and that takes long time with fetures and features. My philosopy is small projects that makes me effective in my own economy. I have an idea on projects but no idea where to start

https://redd.it/1pw25hb
@r_systemadmin

Too Many Duo Prompts? How Do Teams Meet 2FA Compliance

I started at a company that uses Duo and it feels pretty intense: I approve a Duo push to SSH in, then another when I switch users, and another when I sudo. Basically every hop prompts a phone tap. If I'm signing into my computer, its a Duo tap. Any RDP session is a Duo tap. It probably takes me 15 minutes to get all of my terminals rolling in the morning.

Is this typical for companies achieving some compliance like CMMC, or is it configured extra-strict? What are other teams doing to meet 2FA requirements for SSH/admin access without so many prompts? I like Yubikey, but seems this IT department ignored me outright when I inquired about it. Tapping the phone bites IMO!

https://redd.it/1pw2vnu
@r_systemadmin

Has anyone been able to get Smartcard Login to work on Windows?

Really struggling with even knowing where to start looking on this one.

I'm a Junior SysAdmin and unfortunately the Senior ones haven't been too helpful on this.

I know E5 and E3s are going to include a PKI at some point and that is somehow relevant but I'm still struggling to understand exactly how that links in. For context, we are a hybrid environment.

I'm not even sure how to link a user's SmartCard to their AD profile or see what certs already exist on the profile!

If it helps at all, only about 400 devices out of 5000 need SmartCard based Logon. Most of the staff that will be logging on will have an E5. The devices in question will always be connected to our domain.

Is anyone able to give me a bit of a high level overview?

https://redd.it/1pw4kov
@r_systemadmin

Best 2025-2026 Document Scanners? - Looking for Suggestions

Hi everyone!

For anonymous purposes you can just refer to me as Cyb or Cyberius.

I currently work as an IT professional in a small-medium (\~200 employee) healthcare company, and we are a bit behind the times when it comes to hardware. One thing that we REALLY need to get up to date on is document scanners (Ricoh, Brother, etc.) as we still have ones dating back to \~2011.


The scanners that are being used currently are old KV-S1025 Panasonic Scanners that just aren't cutting it in terms of speed and other miscellaneous issues that we just can't seem to stay ahead on as the drivers and hardware are very dated. One scanner that does work pretty well is a Fujitsu Scanner Series 7xxx, but I believe this one is dated too so we want to try to find a better standard, if possible.


I have been doing some research online and in other subreddits, including this one, and was wondering what Document Scanners folks use at their workplace? Currently, I am leaning towards the Brother ADS Series but am fully open to suggestions.


Some other information that may help is the department that is in need of these scanners scan 100s of pages a day so something that is reliable and fast would be ideal to make sure their process is as smooth and efficient as possible.


Thank you!

https://redd.it/1pw7ulx
@r_systemadmin

MongoDB unauth exploit released, patch immediately

From: https://cyberplace.social/@GossiTheDog/115786817774728155

> Merry Christmas to everybody, except that dude who works for Elastic, who decided to drop an unauthenticated exploit for MongoDB (basically MySQL) on Christmas Day, that leaks memory and automates harvesting secrets (e.g. database passwords)

> CVE-2025-14847 aka MongoBleed

> Exp: https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

> This one is incredibly widely internet facing and will very likely see mass exploitation and impactful incidents

> Impacts every MongoDB version going back a decade.

> Shodan dork: product:"MongoDB"



> The exploit is real and works, you can just run it and target specific offsets and/or keep running it until you get AWS secrets and such.

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

> This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

https://redd.it/1pw913t
@r_systemadmin

Securely share files to me via a persistent link.

Hey guys, I'm looking for a solution that would allow people to securely share a file to me via a persistent link that I would drop in my email signature. There seems to be a ton of products out there that would either let me create links to share files with other people, or create one time links to request information from people, but I cant find one that would allow me to create one persistent link that people could click to upload the file to me. Do yall know of anything like that?

https://redd.it/1pwaadl
@r_systemadmin

Auditors want evidence of monitoring

We’re preparing for an audit and one of the requests is proof that monitoring is happening. We do logs/alerts and on call rotations, but none of it was designed with evidence in mind.


What do auditors actually accept as evidence of monitoring?

https://redd.it/1pwb75w
@r_systemadmin

plug and play site-to-site non-subnoscription VPN devices ?

Looking for a portable-ish solution - what are options to avoid monthly subnoscription software ?

0-3x/month need to remotely work on a PC for 24-48 hours. Different PC at the remote end each time. The ISP device at the remote end would not be in bridge mode and no static IP is possible.

I envision having the remote office staff pull a"target VPN gadget" out of a drawer, plug it in/turn it on, connect by ethernet to ISP modem/router, connect by ethernet or USB to PC and it's done for their involvement. When work on the PC is done, they unplug and store it. Portability for this "target gadget" to be used at a couple of locations without configuration would be a bonus. ISP devices range from Starlink to mobile carrier hotspot to cable or fiber combo modem/router.

The "admin gadget" at our end can require extra work for each connection. The target and admin gadgets must be configurable to recognize/allow access only via the other gadget.

TLDR: need to open an RDP-like connection between PCs with little assistance from end user, avoiding opening an actual RDP port on the ISP device.





https://redd.it/1pwb5dx
@r_systemadmin

NAS Fileserver?

One of our Servers needs to be replaced in 2026. It's for a small group in our office, but they have roughly 13tb of data on this server.

Right now they are in their own domain, and the server is hosting AD/DHCP for their network. The plan is to migrate that group of users into the Companies main domain, and let our main DC / DHCP take over. The question now is file storage.

We're a relatively small business. 130ish users, and day to day only 30 users max would accessing these files at a time. I don't really see the point in spending thousands on a server + CALs.

Does anyone here run a NAS as their "File Server"? I've heard / read good things about Synology. I almost feel like it's 6 in one hand, half dozen in the other.

Any insight would be helpful.

https://redd.it/1pwemoh
@r_systemadmin

SSL certificate expired on our domain and this is my first time fixing this.

I’m still pretty new to this and have mostly done desktop support. Our SSL certificate expired on the 23rd, and the person who normally handles this is out this week and next, so it fell to me. I just want to make sure I’m heading in the right direction.

I renewed the certificate, then learned I needed to generate and submit a CSR. I created the CSR through IIS Manager and submitted it to Network Solutions. It’s been almost six hours now, and the request is still in the “in validation” status. How long does this usually take?

https://redd.it/1pwfhd5
@r_systemadmin

IT ticketing system

Our IT team has been struggling to keep up with all the internal requests and tickets. We’re thinking about switching to a service desk or IT ticketing system that can make things more efficient and maybe automate some tasks. Something that can track assets and integrate with tools like Slack would be a bonus. Has anyone here tried tools like Jira Service Management, FreshService, Siit or GLPI? These are the tools we commonly hear or mentioned, I’d love to hear what worked for those and if any tips to remember.

https://redd.it/1pw6kwu
@r_systemadmin