Linux

If you are not aware, LaLiga (Spain’s football league) is blocking thousands of IPs in Spain every time there’s a football match on the TV to try to fight against the pirated football on the Internet. Of course it’s not working as the pirate sites continue being accessible without a hinch, but thousands of legitimate webs stop working. You can get more information about the affected IPs in the fantastic page ¿Hay ahora fútbol?.

I recently discovered that some strange errors I was seeing in some of my home lab services were caused by these blocked IPs. The affected IPs are hickjacked and the HTTP connections redirected to LaLiga’s web server. HTTPS connections will fail with a certificate error like this:

[Error] X509CertificateValidationService: Certificate validation for api.radarr.video failed. RemoteCertificateNameMismatch, RemoteCertificateChainErrors

To avoid these problems I have created this solution with two proxies and a VPN.

Inspired on Crowdsec firewall bouncer, and also with the intention of learning some Rust, I’ve created Bulwark, a small program to run in a OpenWrt router (or any Linux machine) to ban IPs of attacks detected by my servers.

Fail2ban has been an important security tool I’ve been using in my servers for many years. However sometimes is difficult to configure, lacks certain features and can consume too many resources.

Recently I’ve switched to Reaction, a new tool with the same philosophy: monitor logs and execute some actions based on log matches. Reaction is written in Rust, so it’s fast and resource efficient.

I’ve been using Borg backup for many years for my backups and I’m pretty happy with it, but today a new alternative has been published: Vykar backup.

The tool is still new and not ready for production, however the benchmarks they published look very promising. Also, it supports object storage backends, which is something that Borg has been promising for years, but it’s still in the roadmap.

I will definitely keep track of its progress as it might be a good alternative in the future.

OpenWrt has recently released version 22.03, and one of the biggest changes is the switch to nftables.

I’ve noticed though that nftables doesn’t use ipsets as I was used to, but it has a new concept of sets inside the nftables ruleset.

I wanted to create a firewall rule to filter a list of IPs from an URL, however the integration was not as straightforward as with iptables, so I’ve ended creating this solution.

In a bare-metal Openshift installation you need to use an external load balancer to access the API and other services. In my hone lab I also have a webserver accesible from the Internet. I also don’t want to terminate the TLS connections in the load balancer to keep using the existing certificates in my webserver and Openshift cluster.

With these requirements in mind, I chose HAProxy to be my frontend load balancer, so all the HTTPS connections to my public IP will be diverted to the appropriate server examining the SNI field in the TLS connection.

I’m currently doing many tests with the Openshift bare-metal installation, and as I’m creating and destroying the VMs again and again, having a PXE server to provide the installation images and configuration to the VMs is very handy and saves a lot of time.

This is an example of my PXE configuration mounted on a Fedora box that acts as router.

I’ve recently joined the computational effort of Folding@Home for disease research, I want to share some of the modifications I’ve done to run it in Fedora more comfortably.

I’m experiencing kernel panics in a headless Raspberry Pi with Fedora 29 Server and need a way to capture what is happening.

First I tried to enable kdump, but this doesn’t seem possible. If someone has done it, I’d like to hear.

What I’m using now, is enabling netconsole to log all the kernel messages over the network to a rsyslog server. This is the config in the Pi:

/etc/modules-load.d/netconsole.conf:

With this recipe I have installed a VM in Google Compute Engine with an all-in-one OpenStack setup for testing purposes.