Apuntes de root

I use neovim as my editor of choice for the Linux command line. Neovim has a huge ecosystem of plugins, and I use the lazyvim “distribution” which provides a curated set of plugins for people like me that don’t want to spend time configuring neovim.

However this plugin model presents a problem: neovim fetches code from the Internet and executes in your system with your user privileges, with complete access to your files and secrets. With all the chain of supply attack we are hearing about these days, this is a great risk.

In order to reduce the attach surface, I’m running now neovim in a podman container by using a custom wrapper script. This script launches a container with just the minimal access to the host system required to do its job.

If you are not aware, LaLiga (Spain’s football league) is blocking thousands of IPs in Spain every time there’s a football match on the TV to try to fight against the pirated football on the Internet. Of course it’s not working as the pirate sites continue being accessible without a hinch, but thousands of legitimate webs stop working. You can get more information about the affected IPs in the fantastic page ¿Hay ahora fútbol?.

I recently discovered that some strange errors I was seeing in some of my home lab services were caused by these blocked IPs. The affected IPs are hickjacked and the HTTP connections redirected to LaLiga’s web server. HTTPS connections will fail with a certificate error like this:

[Error] X509CertificateValidationService: Certificate validation for api.radarr.video failed. RemoteCertificateNameMismatch, RemoteCertificateChainErrors

To avoid these problems I have created this solution with two proxies and a VPN.

Inspired on Crowdsec firewall bouncer, and also with the intention of learning some Rust, I’ve created Bulwark, a small program to run in a OpenWrt router (or any Linux machine) to ban IPs of attacks detected by my servers.

Fail2ban has been an important security tool I’ve been using in my servers for many years. However sometimes is difficult to configure, lacks certain features and can consume too many resources.

Recently I’ve switched to Reaction, a new tool with the same philosophy: monitor logs and execute some actions based on log matches. Reaction is written in Rust, so it’s fast and resource efficient.

I’ve been using Borg backup for many years for my backups and I’m pretty happy with it, but today a new alternative has been published: Vykar backup.

The tool is still new and not ready for production, however the benchmarks they published look very promising. Also, it supports object storage backends, which is something that Borg has been promising for years, but it’s still in the roadmap.

I will definitely keep track of its progress as it might be a good alternative in the future.

OpenWrt has recently released version 22.03, and one of the biggest changes is the switch to nftables.

I’ve noticed though that nftables doesn’t use ipsets as I was used to, but it has a new concept of sets inside the nftables ruleset.

I wanted to create a firewall rule to filter a list of IPs from an URL, however the integration was not as straightforward as with iptables, so I’ve ended creating this solution.

In a bare-metal Openshift installation you need to use an external load balancer to access the API and other services. In my hone lab I also have a webserver accesible from the Internet. I also don’t want to terminate the TLS connections in the load balancer to keep using the existing certificates in my webserver and Openshift cluster.

With these requirements in mind, I chose HAProxy to be my frontend load balancer, so all the HTTPS connections to my public IP will be diverted to the appropriate server examining the SNI field in the TLS connection.

I’m currently doing many tests with the Openshift bare-metal installation, and as I’m creating and destroying the VMs again and again, having a PXE server to provide the installation images and configuration to the VMs is very handy and saves a lot of time.

This is an example of my PXE configuration mounted on a Fedora box that acts as router.

Inspired in the default NoScript setup of the Tor Browser, I’ve added this rule to my list of static filters in uBlock Origin to block any script or other objects served by http. Some pages load 3rd party scripts over a http connection, posing a risk of a man-in-the-middle attack.

I’ve explicitly excluded the .onion domain as the communication with a hidden service is always encrypted.

|http:$script,inline-script,subdocument,object,font,inline-font,domain=~onion

To see the list of objects available to filter, you can consult the uBlock Origin wiki and the Adblock Plus documentation:

I’ve recently joined the computational effort of Folding@Home for disease research, I want to share some of the modifications I’ve done to run it in Fedora more comfortably.