This is an update of my previous post about configuring IPsec in OpenWrt.
The network scenario I’m describing is a central OpenWrt router with 2 internal LANs, plus 2 external hosts connected with VPN and some roadwarriors with all their traffic redirected through the IPsec tunnel.
[Read More]Note (October 20 2014): This post is outdated, please, refer to the post fail2ban 0.9 for more up to date information.
fail2ban is a handy daemon that monitors the log files to identify connection attempts and other kind of attacks and ban those IPs for a certain period of time.
Currently, fail2ban upstream is adding support to firewalld and the use of ipset, so some modifications are needed at the stock config.
First of all, install the needed packages, I add rsyslog because it’s not included in the default Fedora 20 installation and it’s needed to generate /var/log/secure. I hope fail2ban will support some day querying the journal directly.
The other day, I installed a OCSP server in Windows 2012 R2 and got the need of testing it. I have found two different ways. In Windows, using the tool certutil:
# certutil.exe -url cert.pem
It will open a window where we can test all the revocation methods listed in the certificate. To test OCSP, we select it under “recovery” and click the button.
In Linux we can test OCSP with OpenSSL, this line does the trick:
[Read More]Some time ago, I wrote a post about using dnssec-tools for managing an authoritative name server in CentOS, now I’m going to extend it to cover their usage in a Fedora system.
First of all, I’m going to use the latest versions which currently is not in the repositories. Download the source rpm, recompile and install the rpms: $ mock -r fedora-19-x86_64 dnssec-tools-2.0-1.fc18.src.rpm # yum install /var/lib/mock/fedora-19-x86_64/result/*rpm
The configuration of bind as authoritative name server /etc/named.conf:
For a number of reasons, i’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.
You can get the new key from: https://www.miceliux.com/~juan/pubkey.asc
And the transition document from the old key is here: https://www.miceliux.com/~juan/key-transition-2013-09-11.txt.asc
Because the recent revelations about PRISM, it feels that everybody is revisiting their security infrastructure.
After testing during many hours the available ciphers in the Apache web server, I realized that it’s impossible to get Perfect Forward Secrecy with Red Hat and its derivatives. See bug #319901
I have decided to recompile openssl and apache for the servers I manage, I have uploaded the scripts I use to this repository: https://github.com/jorti/fedora-compile-with-ecc
[Read More]I’m going to explain how to implement DNSSEC in CentOS, using Bind as authoritative name server and the dnssec-tools utilities. To deploy DNSSEC, your parent zone must be signed, you can check it here.
The main reference for this post is in the dnssec-tools Wiki: https://www.dnssec-tools.org/wiki/index.php/Authoritative_Server
[Read More]NOTE: Please, check this updated post about this topic.
I have configured a IPsec server in my OpenWrt router to use it from my Android device when I am connected to an untrusted network. Previously I’ve used OpenVPN, but it drains too much battery, so I want to test if this solution, which is integrated in Android, works better.
I have taken the configuration from the OpenWrt Wiki.
[Read More]If you are using vSphere Replication, the interface doesn’t give a lot of information. To query the status of a ongoing replication, you can use:
vim-cmd hbrsvc/vmreplica.getState _<vmid>_
I had a server with a very big difference in the disk usage report of df and what du said I was actually using. The cause was that Apache had many open file descriptors to deleted log files. You can see all the deleted file descriptors with:
# ls -ld /proc/*/fd/* 2>&1 | fgrep '(deleted)'
Or using lsof: # lsof +L1 # lsof -a +L1 /home
Seen in: http://www.noodles.net.nz/2011/07/27/df-not-reporting-correct-disk-usage/ and: https://mradomski.wordpress.com/2007/01/08/finding-an-unlinked-open-file-and-other-lsof-uses/