May Encrypted Networking
✅ ZeroTier on GMKtec K8 Plus with Proxmox VE
The GMKtec K8 Plus, running Proxmox VE (based on Debian Linux), fully supports ZeroTier — both on the host and within guest VMs.
🧩 ZeroTier on Proxmox — Overview
———————————————————————- | | ZeroTier on Host (Proxmox) | ✅ Yes | Install via CLI on the Proxmox host (Debian-based) | | ZeroTier in Guest VMs | ✅ Yes | Install separately inside each Windows/Linux VM if needed | | Bridging to VM network | ✅ Yes | You can bridge ZeroTier to the VM virtual bridge (vmbr0) if desired | | Remote RDP / Web UI access | ✅ Yes | Access the Proxmox web UI (:8006) or RDP into VMs securely via ZeroTier |
🛠️ Installing ZeroTier on the Proxmox Host
```bash
Run this directly on the Proxmox host via SSH or console
curl -s https://install.zerotier.com | bash sudo zerotier-cli join
August 25, 2025
HMRC’s “tax year basis” concession for businesses and records.
Now we have everyone on SA transitioned to the tax year instead of their own choices, which becomes suddenly relevant where it never was before.
Our official personal and corporation tax year runs from 6 April to the following 5 April. However, HMRC accepts that for practical purposes, especially for bookkeeping and accounts preparation, we can treat the year ending 31 March as if it were the same as 5 April.
This is called the 31 March year-end concession [factual]: • Why: It avoids having to split income and expenses across a small stub period (1–5 April), since the difference is only five days. • Who it applies to: Self-employed people, partnerships, and landlords most commonly, but it also turns up in PAYE and other HMRC forms where “tax year” is relevant. • Effect: If records are to 31 March, HMRC will accept them as covering the full tax year to 5 April, with no adjustment required for those extra days. • Notification: There’s no special separate notification or election form needed — we simply prepare the accounts to 31 March and treat them as the tax year. HMRC’s online return and paper forms explicitly allow for this. If we were moving to or from a different accounting date, then we would have to notify them in the relevant self-assessment pages.
The exact HMRC reference is in their Self Assessment Manual at SAM121050 and in the Business Income Manual at BIM81045, which confirm that 31 March is deemed equivalent to 5 April for tax purposes.
What’s the 31 March Concession? • HMRC treats a business’s accounting period ending on 31 March (or any date between 31 March and 5 April) as if it ended on the tax year‐end, 5 April, for the purposes of basis-period calculations. This means we do not have to apportion profit for the extra days — it’s treated as if the accounts run through the full 5 April.  • The late accounting date rules under HMRC confirm that, for accounting dates between 31 March and 4 April inclusive, the profits from 1 April to 5 April are treated as nil for that tax year and instead attributed to the next tax year — unless we specifically elect otherwise. 
In practice: If our business prepared accounts to 31 March, in most years HMRC accepts that as covering profits to 5 April with no separate notification or special reporting needed — it’s built into the system.
Transition & Notification • There is no need for a separate notification to HMRC if you’re simply using a 31 March year-end — it’s accepted by default under the basis-period concession.  • However, if our accounting date is between 31 March and 4 April inclusive, the late accounting date rules apply automatically — unless you choose to elect out. That election must be made within one year of the normal Self Assessment filing deadline for that tax year. 
———————————————————– | | Accounts end on 31 March (or between 31 March–5 April) | Treated as ending on 5 April; profits 1–5 April attributed to the next tax year automatically | No | | Accounts end on 31 March–4 April | Profits 1–5 April treated as nil for current year, shifted to next year; optionally you can elect otherwise | Only if you want to override the default — yes (within 1 year) |
Situation What Happens Notification Required? Accounts end on 31 March (or between 31 March–5 April) Treated as ending on 5 April; profits 1–5 April attributed to the next tax year automatically No Accounts end on 31 March–4 April Profits 1–5 April treated as nil for current year, shifted to next year; optionally you can elect otherwise Only if you want to override the default — yes (within 1 year)
So HMRC allows a 31 March year-end to “stand in” for the 5 April tax year-end. No special filing or notification required, unless we’re deliberately wanting to disapply the late accounting date treatment.
August 11, 2025
| Version History |
✅ 30–180 days depending on plan |
✅ 30 days (Personal), 93+ days (Business) |
✅ 30 days or 100 versions |
⚠️ Manual setup (e.g., Btrfs, snapshots) |
| Rewind Entire Folder/Account |
✅ Full rewind (Professional/Business) |
✅ Entire OneDrive (via ransomware recovery) |
❌ No folder rewind; manual per-file |
⚠️ If snapshotting is configured |
| Deleted File Recovery |
✅ Up to 180 days |
✅ Recycle Bin (93+ days Business) |
✅ 30 days by default |
❌ Unless backup/snapshot systems are present |
| Automatic Ransomware Detection |
⚠️ None built-in |
✅ Microsoft detects and alerts |
❌ No direct detection |
❌ Not built-in |
| Restore En Masse |
✅ Rewind |
✅ Ransomware Recovery Tool |
❌ Manual only |
⚠️ Scripted restore possible |
| Requires Pro Plan |
✅ Rewind requires Professional plan |
✅ Full features on Microsoft 365 plans |
❌ Basic versioning available to all |
✅ Requires admin setup |
| Shared Folder Exposure Risk |
⚠️ Yes (encrypted files sync to others) |
⚠️ Yes |
⚠️ Yes |
⚠️ Yes (if mounted/shared) |
| Offline Backups Supported |
❌ Not natively |
❌ Not natively |
❌ Not natively |
✅ Strong, if configured |
| Immutability Support |
❌ No |
❌ No |
❌ No |
✅ With proper setup (e.g., ZFS snapshots) |
🏁 Summary
- Dropbox: Strong versioning and full Rewind recovery, but limited automatic detection.
- OneDrive: Best resilience for general users due to ransomware detection, alerts, and full account restore.
- Google Drive: Basic versioning only; weak against mass ransomware without manual work.
- Local NAS: Can be extremely resilient if configured with snapshots or offline backups, but vulnerable by default.
✅ Best Ransomware Defence Strategy
| Dropbox |
Use Professional or Business plan with Rewind; supplement with offline backups |
| OneDrive |
Use with Microsoft 365 Business for alerts + recovery |
| Google Drive |
Use with third-party backup (e.g. Spanning, Backupify) |
| Local NAS |
Implement automated snapshots and offline backup rotation |
August 2, 2025
Overview
This guide provides step-by-step instructions to secure a small business network with:
- A single LAN
- Ubiquiti UniFi Ultra as the gateway
- No port forwarding or open inbound ports
Threat vectors addressed include phishing, lateral movement, internal misconfiguration, and remote exploitation.
🔧 1. Edge Router & Firewall: Lock Down the Gateway
✅ UniFi Ultra Firewall Rules
- Deny by default all inbound WAN traffic
- Allow only established/related connections
- Explicitly drop all other WAN IN traffic
Recommended Rules (WAN IN):
Rule 1: Accept ESTABLISHED,RELATED → WAN IN
Rule 2: Drop All → WAN IN
WAN LOCAL (UI & service protection):
Rule 1: Allow DNS, DHCP (if hosted here)
Rule 2: Drop All → WAN LOCAL
Additional Router Hardening:
- ❌ Disable UPnP
- ❌ Disable IPv6 (unless used securely)
- ✅ Disable UniFi Cloud Access (or restrict to admin IPs)
- ✅ Restrict GUI management access to VLAN 10 (trusted)
🧱 2. LAN Segmentation (Minimal VLAN Strategy)
| 10 |
Trusted LAN |
Admin PCs, Servers |
| 20 |
IoT / Untrusted |
Smart TVs, IP Cams, Printers |
| 30 |
Guest or BYOD |
Visitors, Staff Personal Devices |
VLAN Rules:
- 🚫 Block inter-VLAN by default
- ✅ Allow VLAN 10 → VLAN 20/30 (if needed)
- ❌ VLAN 20/30 should not access VLAN 10
🧑💻 3. Endpoint Hardening
Workstations:
- ✅ OS auto-updates
- ✅ EDR/AV (e.g. Defender with ASR or CrowdStrike)
- ❌ No RDP unless secured internally
- 👤 Daily users: non-admin accounts
Servers:
- 🔥 Local firewall enabled
- 🧱 Block all except trusted LAN IPs
- 🔄 Scheduled, off-site backups
- ❌ Disable unused remote protocols (e.g. WinRM, RDP)
🔒 4. DNS & Outbound Filtering
DNS-Level Defence:
Use one of:
Features:
- 🚫 Malware & phishing domain block
- 📊 DNS logging and analytics
Outbound Rules (LAN → WAN):
- ❌ Block:
- TCP 445 (SMB)
- TCP 3389 (RDP)
- FTP, Telnet
- 🔐 Optional: whitelist-only outbound for VLAN 20
🔐 5. Authentication & Monitoring
- 🔐 Enable MFA on all admin accounts
- 📉 Enable UniFi Threat Management (IDS/IPS: Balanced mode)
- 📜 Log to Syslog or external collector
- 👥 Disable unused users, rotate passwords periodically
🔄 6. Backup & Recovery
- 🧊 Immutable, versioned backups (on NAS, PBS, or cloud)
- 📁 Backup:
- Router config
- Servers & domain controller
- Business data
- 🧪 Test restores quarterly
🚫 7. Remote Access (Optional)
If required:
- ✅ Use Tailscale or WireGuard
- ❌ Do not expose RDP, UniFi GUI, NAS, or printers
- 🔐 Device approval and 2FA for VPN accounts
🧪 8. Security Audit Checklist
| OS & firmware patched |
Weekly |
☐ |
Open ports scan (nmap) |
Monthly |
☐ |
| IDS/IPS alerts reviewed |
Weekly |
☐ |
| Endpoint AV/EDR status |
Weekly |
☐ |
| Backups tested |
Quarterly |
☐ |
| VLAN rules audited |
Quarterly |
☐ |
Tip: For central visibility, consider using a self-hosted Grafana + Loki + Promtail or Graylog stack to aggregate firewall, system, and DNS logs.
National Cyber Security Centre certificates
August 2, 2025
📨 1. Phishing Emails [factual]
• Most common method.
• User receives a deceptive email with a malicious link or attachment (e.g. PDF, Word doc with macros).
• Once opened, the malware downloads and executes ransomware.
• Often disguised as invoices, delivery notices, or resumes.
🌍 2. Compromised Websites [factual]
• Known as drive-by downloads.
• Visiting a booby-trapped website (even briefly) can trigger a silent download if the browser or plugins are vulnerable.
• These sites often look legitimate and may even be hacked versions of trusted domains.
🔓 3. Remote Desktop Protocol (RDP) Attacks [factual]
• Attackers scan the internet for exposed or poorly protected RDP services.
• Use brute-force attacks or leaked credentials to log in.
• Once in, they manually install the ransomware.
• Common in targeted attacks against businesses.
🧑💻 4. Software Vulnerabilities / Exploits [factual]
• Attackers exploit known vulnerabilities in unpatched operating systems or applications.
• Examples include EternalBlue (used by WannaCry) exploiting SMBv1.
• Exploits can spread ransomware across internal networks quickly.
🧳 5. Malicious Ads (Malvertising) [factual]
• Infected adverts served via ad networks on legitimate websites.
• No user interaction needed beyond viewing the page.
• Often combined with exploit kits to target browser flaws.
💾 6. Infected Software or USB Devices [factual]
• Trojanised installers from unofficial sources (pirated software, keygens).
• Or ransomware pre-loaded on USB sticks (common in social engineering attacks).
🧠 7. Initial Access Brokers (IABs) [inference / emerging threat]
• Criminals specialising in breaching networks and selling access.
• Buyers (including ransomware gangs) purchase this access to deploy payloads.
August 2, 2025
🔐 1. Backup Strategy
• Daily backups, both on-site and off-site (e.g. cloud + external drives).
• Use immutable or versioned backups where possible.
• Regularly test restoration procedures.
Most of the rest that follows is not really likely to be done by an average small business.
🛡️ 2. Endpoint Protection
• Install and maintain reputable antivirus/anti-malware software.
• Enable real-time protection and automatic updates.
🚧 3. Firewall & Network Segmentation
• Use a hardware firewall or UTM appliance.
• Segment critical systems (e.g. finance, admin) from general use areas.
🔑 4. Access Control
• Enforce least privilege: users only get access to what they need.
• Use unique credentials and disable shared accounts.
🔁 5. Patch & Update Management
• Apply security updates to OS, applications, and firmware promptly.
• Automate where feasible, especially for Windows, macOS, and server software.
✉️ 6. Email Security
• Use spam filters with malware and phishing detection.
• Warn users about attachments and links from unknown senders.
🧠 7. User Training
• Educate staff on phishing, social engineering, and suspicious activity.
• Run simulated phishing campaigns periodically.
🧾 8. Application Whitelisting
• Limit systems to run only authorised software.
• Block unauthorised scripts and macros (especially in MS Office).
🔍 9. Monitoring & Logging
• Enable centralised log collection.
• Monitor for unusual access patterns, e.g. large file movements or login attempts.
🔐 10. Multi-Factor Authentication (MFA)
• Enforce MFA for:
• Admin accounts
• Remote access
• Email systems (e.g. Microsoft 365, Google Workspace)
August 2, 2025