Security -

Improve security by running neovim in a container

Posted on April 25, 2026 | Juan Orti Alcaine

I use neovim as my editor of choice for the Linux command line. Neovim has a huge ecosystem of plugins, and I use the lazyvim “distribution” which provides a curated set of plugins for people like me that don’t want to spend time configuring neovim.

However this plugin model presents a problem: neovim fetches code from the Internet and executes in your system with your user privileges, with complete access to your files and secrets. With all the chain of supply attack we are hearing about these days, this is a great risk.

In order to reduce the attach surface, I’m running now neovim in a podman container by using a custom wrapper script. This script launches a container with just the minimal access to the host system required to do its job.

[Read More]

neovim security containers

Bulwark: block attacking IPs at the router level

Posted on March 6, 2026 | Juan Orti Alcaine

Inspired on Crowdsec firewall bouncer, and also with the intention of learning some Rust, I’ve created Bulwark, a small program to run in a OpenWrt router (or any Linux machine) to ban IPs of attacks detected by my servers.

[Read More]

security bulwark reaction openwrt

From Fail2ban to Reaction

Posted on March 3, 2026 | Juan Orti Alcaine

Fail2ban has been an important security tool I’ve been using in my servers for many years. However sometimes is difficult to configure, lacks certain features and can consume too many resources.

Recently I’ve switched to Reaction, a new tool with the same philosophy: monitor logs and execute some actions based on log matches. Reaction is written in Rust, so it’s fast and resource efficient.

[Read More]

security fail2ban reaction

Sandbox Steam running it under a different account

Posted on July 14, 2016 | Juan Orti Alcaine

To improve my system’s security, I’ve configured Steam to be run as a different Linux account. This guide is inspired in this thread.

[Read More]

security steam

Export non-exportable private keys from Windows key store

Posted on December 16, 2014 | Juan Orti Alcaine

When I was looking for a utility to export the non-exportable private keys in Windows, I found the mimikatz tool, which enabled me to do that and a lot more.

To export the private keys, run mimikatz as administrator and type:

crypto::capi
crypto::certificates /export

And you’ll get the certicates exported with the password mimikatz. You can also export the machine certificates with /systemstore flag. See the wiki for more info.

This tool is detected as a threat by many antivirus, so you’ll have to probably disable yours before using it.

certificates security