Andy J Blog - Trials of an IT Engineer

Unifi SSH Guide

Sat, 28 Mar 2026 00:00:00 +0000

SSH Access Methods for UniFi Devices

SSH behaviour across the UniFi product family is not consistent. The UNAS Pro runs a full Debian-based Linux environment. UniFi switches run a proprietary firmware with a limited shell. UniFi gateways (UDM, UDM Pro, UXG) run a locked-down Linux environment with their own persistence model. Each requires a different approach and carries different caveats around authentication, key storage, and what survives a reboot or firmware update.

UNAS Pro Custom Fan Control via systemd

Sun, 08 Mar 2026 00:00:00 +0000

UNAS Pro Custom Fan Control via systemd

The UNAS Pro’s stock fan control tends to run fans aggressively or inconsistently under modest loads. This documents replacing stock fan behaviour with a community-maintained PWM script that runs as a persistent systemd service, with temperature targets tuned for Seagate IronWolf drives.

Script source: hoxxep/UNAS-Pro-fan-control

I have also included a section on manual control, for cases where you are not filling all drive bays and want to set a static fan speed. Personally I use this method as the device sits in a normal room rather than a climate-controlled rack, and I am only running 2x HDD — it works well under those conditions.

Secure Hardware Telemetry with Caddy

Thu, 05 Feb 2026 00:00:00 +0000

Overview

The convergence of home lab infrastructure, remote systems administration, and Zero Trust networking principles has necessitated robust solutions for exposing internal telemetry without compromising security. This guide provides a comprehensive implementation for securing LibreHardwareMonitor using Caddy as a reverse proxy and Tailscale as the transport layer.

The architecture moves beyond simple port forwarding, utilizing an overlay network (Tailscale) to render the service invisible to the public internet, while employing application-layer encryption (TLS) via Caddy. Version 5.0 adds HTTP Basic Authentication and granular firewall rule management, adhering to the principle of Defence in Depth.

ASCII Art Generator - Bitmap-Based Image to Character Conversion

Sun, 25 Jan 2026 00:00:00 +0000

ASCII Art Generator - Image to Character Bitmap Conversion

The resurrection of an old project that I have not touched for a very long time, this version is much improved. It can be used to make interesting images that are highly detailed and most importantly easy to use and maintain.

Overview

A Python script that converts images into coloured ASCII art using bitmap-based character matching. This script analyzes images pixel-by-pixel and matches each region to ASCII characters based on visual similarity. It uses OpenCV for image processing, PIL for font rendering, and NumPy for bitmap comparison operations.

Linux Double-Lock Deletion Protection - SOP

Sun, 25 Jan 2026 00:00:00 +0000

The Evil Command

A single command, or a slight variation of it, has led to the death of thousands of innocent servers. The most frustrating part? It is entirely preventable. I consider the following setup a mandatory part of any deployment process—even for non-production systems. For a sobering reminder of the absolute worst-case scenario, read this account of a production server being wiped in an instant.

Standard Operating Procedure: The “Double-Lock”

This SOP establishes a redundant protection system for Debian-based servers to prevent catastrophic data loss caused by accidental rm -rf / execution.

Windows 11 Pro Installation - Bypassing BIOS Embedded Home Key

Tue, 20 Jan 2026 00:00:00 +0000

Guide for installing Windows 11 Pro on devices with OEM Home edition keys embedded in BIOS/UEFI firmware.

Problem Overview

Many OEM devices (Dell, HP, Lenovo, etc.) have Windows Home product keys embedded in the BIOS MSDM table. During Windows Setup, this key is detected automatically and forces Home edition installation, bypassing edition selection entirely.

This causes issues for:

Autopilot deployments (Home cannot join Entra ID)
Enterprise environments requiring Pro features
Domain join scenarios

Solution Methods

Method	Best For	Requires
ISO Modification	Future deployments, multiple devices	AnyBurn or 7-Zip, ISO access
Post-Install Upgrade	Immediate need, single device	Time for reset cycle

Method 1: ISO Modification (Recommended)

Inject ei.cfg and pid.txt into the Windows ISO to force Pro edition selection.

Microsoft Intune Autopilot and Windows LAPS Deployment Guide

Sat, 17 Jan 2026 00:00:00 +0000

This guide documents the complete process for deploying Windows devices via Autopilot with integrated Windows LAPS password management. All configurations have been lab-verified on Windows 11 25H2 in a pure Azure AD/Entra joined environment.

The guide covers tenant configuration from scratch, custom local administrator account naming, passphrase-based passwords, BitLocker key escrow, and troubleshooting common policy conflicts.

Prerequisites and Licensing

Before configuring Autopilot, LAPS, or BitLocker, the tenant must have appropriate licensing. Missing licenses cause silent failures during OOBE deployment.

Deep NAT OpenVPN Lab Access: Troubleshooting Silent Firewall Failures

Sun, 04 Jan 2026 00:00:00 +0000

Overview

I have been working on putting together a Lab following an excellent guide that can be found at the end of the paragraph.
I am not taking any credit for the amazing work demonstrated by David Varghese but I would like to promote it in the hope that others who have a keen interest to learn new and exciting skills can follow along. I digress; my current setup is really geared as an adaptation of the Lab topology that I picked up from David Varghese’s website. During this process of adaptation I really wanted to learn about PKI - Public Key Infrastructure and building my own VPN tunnel from scratch via Easy-RSA this is used to generate the PKI certificate chain in a Windows environment, this project was not simple and I did run into small issues along the way but when trying to test external connectivity from the internet using my mobile device I ran into an issue that I could not resolve. this article documents my solution. Link to David’s Lab guide - https://blog.davidvarghese.net/posts/building-home-lab-part-1/

Solving Cloudflare DDNS in Double NAT Environments

Sun, 28 Dec 2025 00:00:00 +0000

The Problem

I needed remote VPN access to my home network. The setup seemed straightforward: configure OpenVPN on my UniFi Dream Router, set up Cloudflare DDNS to handle my dynamic IP, and connect from anywhere. Simple enough, right?

Not quite.

I am very aware that this is not the ideal setup but since my Vigor-130 has not yet arrived I needed a good solution that would work in the mean time. This is what I came up with, the UDR is more than capable of doing this but only using PPOE passthrough as my WAN link is only VDSL. I do a lot of labs that need VPNs to work and the below solution works very well.

Microsoft Intune Application Deployment: The Complete Enterprise Guide

Thu, 27 Nov 2025 00:00:00 +0000

Introduction: Modern Application Management with Intune

Microsoft Intune represents a fundamental shift in how enterprises deploy and manage applications. Moving from traditional on-premises solutions like SCCM (System Center Configuration Manager) to cloud-based mobile device management (MDM) and mobile application management (MAM), Intune provides unified endpoint management for devices across Windows, macOS, iOS, Android, and Linux platforms.

This guide provides enterprise-grade implementation strategies, best practices, and troubleshooting procedures for application deployment through Microsoft Intune. Whether you’re migrating from SCCM, implementing Intune for the first time, or optimizing an existing deployment, this comprehensive reference covers everything you need.

QtScrcpy: Professional Android Screen Mirroring and Remote Control

Thu, 27 Nov 2025 00:00:00 +0000

Executive Summary

QtScrcpy is a free, open-source Android screen mirroring and control application that enables real-time display and control of Android devices from Windows, macOS, and Linux computers. Built on top of the highly regarded scrcpy project from Genymobile, QtScrcpy enhances the original with a Qt-based graphical interface, advanced features like custom key mapping, batch device control, and enterprise-grade performance specifications including sub-30ms latency and support for managing 500+ devices simultaneously.

Tailscale: The Zero-Trust Network That Changed How I Manage Infrastructure

Sun, 23 Nov 2025 00:00:00 +0000

Introduction: Rethinking Network Access

For years, managing remote access to my infrastructure followed the same tired pattern: OpenVPN configurations that broke after updates, port forwarding that exposed services to the internet, or restrictive firewalls that made simple SSH access feel like navigating a maze.

I currently still use a VPN that I manage and run via the old methodology, peer management, server etc but as a form of redundancy Tailscale is, for me, the gold standard.

Building a Safe WireGuard Peer Management Script

Thu, 20 Nov 2025 00:00:00 +0000

The Problem with Manual WireGuard Management

Managing WireGuard peers manually can be error-prone. After accidentally deleting an active peer with my old management script, I needed something better - a tool that would never overwrite existing configurations and always create backups before making changes. This makes adding new devices to my personal network much easier. Also it is worth mentioning that this allows you to set the parameters for you specific devices in accordance to the use case without the need to do this manually.

Linux User Management, Permissions, and Navigation Guide

Wed, 19 Nov 2025 00:00:00 +0000

Introduction

This comprehensive guide covers everything you need to know about Linux user management, file permissions, system navigation, and file operations. Whether you’re a beginner or an experienced user, this reference will help you master Linux system administration. Also a good application that you can use after you grasp the basics is Midnight Commander - https://midnight-commander.org

A highly regarded tool to make file management easier and more like working within a regular desktop environment.

Joining the War for Team Blue

Sun, 16 Nov 2025 00:00:00 +0000

My Digital Wake-Up Call

I’m new to the reality of the internet as a battleground—though maybe it always was one. I’ve recently taken the plunge, striving to learn as much as I can and develop my skills in multiple areas simultaneously, especially cybersecurity.

This journey has led me to a much more serious consideration of internet-facing security and the severe implications of ignoring it.

Waking up to personal security alerts screaming that my infrastructure was under attack was a peculiar experience. Yet, it became a valuable learning opportunity. I decided not just to follow the automated tool’s recommendations, but to go beyond them.

Improved Backup Script Usage Guide

Sat, 08 Nov 2025 10:00:00 +0000

Improved Backup Script Usage Guide

This comprehensive guide covers the enhanced backup script with advanced features like compression, incremental backups, and automated reporting. Whether you’re a system administrator or a developer managing server backups, this guide will help you implement reliable backup strategies with performance optimization and verification capabilities.

Overview

The improved backup script provides good backup capabilities with enhanced features for modern system administration needs. Built on robust technologies like rsync and tar with optional parallel compression, it offers both full system backups and space-efficient incremental backups while maintaining data integrity through verification processes.

Basic Penetration Testing Kali Linux

Sat, 08 Nov 2025 00:00:00 +0000

Remote Penetration Testing Guide: Kali Linux

Hacking your own infrastructure with Kali Linux.

This is an example of a script I created for very basic testing to practice my Linux scripting and to make sure my VPS servers remain secure. It is not an in-depth attempt to break things, but it is an attempt to gain more experience with a side of IT that I have little, to no experience in beyond some basic Steganography, which I did in university. Even then that was not related to pen testing but to cryptography. The simple truth is I am lazy and so instead of spending ages collecting all the commands needed to mount an attack / vulnerability scan. I can save a lot of time by automating this process, the below shell script is the result. It works when testing and has given me some ideas. But please be advised it is on the extreme end of simple.

Network Topology Report Generator

Sat, 08 Nov 2025 00:00:00 +0000

Network Topology Report Generator

Brief introduction: The Network Topology Report Generator is a comprehensive bash script that automatically documents your entire network infrastructure. Whether you’re managing VPS servers, home labs, or enterprise networks, this tool creates detailed reports covering interfaces, routing, VPN connections, firewall rules, Docker networks, and active services. Perfect for troubleshooting, documentation, compliance audits, or understanding inherited infrastructure.

I created this as a vanity project as I really like seeing changes in my network and I had the idea to create it, I am unsure as to it utility outside of my use case but I did have a lot of fun troubleshooting it.

Veeam Application Introduction

Sat, 08 Nov 2025 00:00:00 +0000

Comprehensive Guide: Veeam Agent-Level Backups with User Self-Service

Linux VMs & Windows Workstations

Overview

This guide covers implementing Veeam agent-level backups for Linux VMs and Windows workstations with user self-service capabilities, allowing remote users to initiate and manage their own backups while maintaining centralized control.

Key Capabilities

Centralized Management: Manage agents from Veeam Backup & Replication console
User Self-Service: Users can initiate backups from their machines
Flexible Control: Choose between full control and read-only modes
Cross-Platform: Unified approach for Linux and Windows systems

Architecture & Concepts

Agent Operation Modes

1. Standalone Mode

My Role at GMA: A Professional Journey on the Helpdesk

Thu, 30 Oct 2025 14:53:39 +0000

Introduction

My journey at GMA Began one year ago when I joined the team as a Helpdesk technician. Little did I know that this role would become one of the most transformative experiences of my professional career, shaping my skills, perspectives, and approach in IT.

The Company and My Role

About GMA

GMA is a small-to-medium-sized MSP that operates across all areas of IT. The company runs a lean operation, featuring a remarkably busy helpdesk often referred to as the “coal face.” The workload was consistently high—not rushed, but characterized by a sustained flow of tickets.

Self Hosting a New Blog

Thu, 30 Oct 2025 14:53:39 +0000

Welcome to my new blog! After years working in IT, I’ve decided to document my journey, share what I’m learning, and create a resource for others in the technology field.

My Current Custom PC Build - 2025

Thu, 30 Oct 2025 10:00:00 +0000

Contact Me

Wed, 18 Oct 2023 00:00:00 +0000

Email & Phone

Email: Stoicturk182@protonmail.com Phone: (44) 07990338386 Location: London, UK

GitHub: StoicTurk182
LinkedIn: Andrew Jones