Apuntes de root

With the recent release of fail2ban 0.9 there are very important improvements to the journal and firewalld integration. With these simple configurations, I get fail2ban working in Fedora 20 without a syslog daemon and avoiding being DOSed  by a local user.

/etc/fail2ban/fail2ban.local

[Definition]
loglevel = INFO
logtarget = SYSLOG

In /etc/fail2ban/jail.local we set the backend to systemd, so we monitor directly the journal, we also choose as default action firewallcmd-ipset, so the rules are inserted with firewall-cmd and use the ipset facility. Finally, all the jails needed are enabled.

[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
bantime = 3600

[sshd]
enabled = true

[postfix]
enabled = true

[dovecot]
enabled = true

This is an update of my previous post about configuring IPsec in OpenWrt.

The network scenario I’m describing is a central OpenWrt router with 2 internal LANs, plus 2 external hosts connected with VPN and some roadwarriors with all their traffic redirected through the IPsec tunnel.

Note (October 20 2014): This post is outdated, please, refer to the post fail2ban 0.9 for more up to date information.

fail2ban is a handy daemon that monitors the log files to identify connection attempts and other kind of attacks and ban those IPs for a certain period of time.

Currently, fail2ban upstream is adding support to firewalld and the use of ipset, so some modifications are needed at the stock config.

First of all, install the needed packages, I add rsyslog because it’s not included in the default Fedora 20 installation and it’s needed to generate /var/log/secure. I hope fail2ban will support some day querying the journal directly.

The other day, I installed a OCSP server in Windows 2012 R2 and got the need of testing it. I have found two different ways. In Windows, using the tool certutil:

# certutil.exe -url cert.pem

It will open a window where we can test all the revocation methods listed in the certificate. To test OCSP, we select it under “recovery” and click the button.

In Linux we can test OCSP with OpenSSL, this line does the trick:

Some time ago, I wrote a post about using dnssec-tools for managing an authoritative name server in CentOS, now I’m going to extend it to cover their usage in a Fedora system.

First of all, I’m going to use the latest versions which currently is not in the repositories. Download the source rpm, recompile and install the rpms: $ mock -r fedora-19-x86_64 dnssec-tools-2.0-1.fc18.src.rpm # yum install /var/lib/mock/fedora-19-x86_64/result/*rpm

The configuration of bind as authoritative name server /etc/named.conf:

For a number of reasons, i’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.

You can get the new key from: pubkey.asc

And the transition document from the old key is here: key-transition-2013-09-11.txt.asc

UPDATE 25 May 2026: Key DEEBD08B has been superseded by A46F1680F8655E774E4D6606B4B3D2F3662CAB17

Because the recent revelations about PRISM, it feels that everybody is revisiting their security infrastructure.

After testing during many hours the available ciphers in the Apache web server, I realized that it’s impossible to get Perfect Forward Secrecy with Red Hat and its derivatives. See bug #319901

I have decided to recompile openssl and apache for the servers I manage, I have uploaded the scripts I use to this repository: https://github.com/jorti/fedora-compile-with-ecc

I’m going to explain how to implement DNSSEC in CentOS, using Bind as authoritative name server and the dnssec-tools utilities. To deploy DNSSEC, your parent zone must be signed, you can check it here.

The main reference for this post is in the dnssec-tools Wiki: https://www.dnssec-tools.org/wiki/index.php/Authoritative_Server

NOTE: Please, check this updated post about this topic.

I have configured a IPsec server in my OpenWrt router to use it from my Android device when I am connected to an untrusted network. Previously I’ve used OpenVPN, but it drains too much battery, so I want to test if this solution, which is integrated in Android, works better.

I have taken the configuration from the OpenWrt Wiki.

If you are using vSphere Replication, the interface doesn’t give a lot of information. To query the status of a ongoing replication, you can use:

vim-cmd hbrsvc/vmreplica.getState _<vmid>_