Security: Apache Reverse Proxy, fail2ban, rsyslog, forwarding public IP

Uncategorized
What do all these have in common?  SECURITY! When you run multiple websites and you want to split those off to different computers or containers for the purpose of security or load balancing you need to run a reverse proxy.  Apache has a mod for that.  The problem is that this mod does not forward the actual IP of the computer visiting the site, instead it sends to the container/computer (let's call them "containers" from this point forward) the IP of the reverse proxy.  This means you can't use fail2ban to scan the logs to block bad actors.  BIG SECURITY ISSUE HERE. In order to scan for bad actors you use fail2ban.  It has jails that look for specific types of activity such as failed login attempts.  If it finds…
Read More

Proxmox Mail Gateway Implementation

Uncategorized
This little virtual appliance is useful to keep spam and other malicious content from reaching your email server.  Last week I was successful at moving my physical email server install to a "container" in Proxmox.  That was one of my long term goals.  This means the email is backed up regularly and I can move it to another machine easily.  While doing this I thought that I'd like to look at the Proxmox Mail Gateway.  I use pfsense to do a lot of spam blocking.  I also have a customer that doesn't use pfsense.  When I look at their daily report I see tons of attempts by bad guys to get in.  In my case I know pfsense is blocking that.  That meant that when I was thinking about the…
Read More

My Nexus 7 is dying.

Uncategorized
This Nexus 7 has been a workhorse for me in so much as it has continued to work with not much difficulty even though it is many years old.  It has not been without its issues, however, it was always there for me to grab it when I needed it.  It's not that I push it, rather it's that I've used it for a long time as my portable device for taking notes and looking things up.  I use it also for things like Termux (a great terminal shell, and much more), playing cards on break, etc. Well it is dying.  One issue is that for a long time it would not auto-rotate, and sometimes I would have issues with it reacting to touch.  The solution was either to "tap"…
Read More

Adding a Netgear EXT 6200 range extender to your network.

Uncategorized
This can be implemented as an extender or Access Point (AP).  Realistically if you can run a cable nearby and place the EXT 6200 somewhere near where you want to serve the WIFI signal you should.  That's what this is about. Run an Ethernet cable as close as you can to the area where you want to serve with the Access Point.  Plug in an Ethernet cable to the device.  Then configure. Alright, that seems sort of simple.  Anyone can do it.  But no, the problem comes with the Netgear firmware.  It demands you connect to the IP address of the AP or you connect to their www.wifiext.net address.  If you connect in this fashion it opens a bunch of problems.  First, how do you get the IP address of…
Read More

Macbook Pro boots with a white circle with a line through it.

Uncategorized
Others have identified this as a machine with the wrong OS on it, an incompatible version of the OS on a Mac.  However, I have found another cause. To resolve the issue if it occurs, if it is caused by circumstances like mine, you would hold option+command+R then go into recovery and choose time machine and roll back.  Then try again. In my case I saw the Mac had updates.  I selected to do the update which downloaded a 1.2gb file.  During that download process I noticed that this mac could have Catalina installed (a new version of the OS).  During this download the updater indicated that it wanted to reboot.  I cancelled that.  I let the Catalina downloader (no it hadn't installed anything, it was just downloading) go for…
Read More

Google’s Android prompting you to save passwords online. NO WAY. Not ever going to happen.

Uncategorized
This is one of those absolutely inherently bad policies -- to save your passwords online on a 3rd party's site.  It is one of those self-evident things such as all people being created equal.  We do not save our passwords onto a 3rd party site, especially Google's. I encountered this today and went looking for a way to turn it off, to turn off the prompt.  I'm someone uneasy with the idea that it is even there, because even if you say no they could still do it and you'd never know.  Google is known to be a company that tracks and monitors you at every angle, and giving them this sort of capability on Android is absolutely dangerous.  They have also been known to lie saying that they weren't…
Read More

Proxmox when launching a console in the WEB UI — Error: Permission denied to access property Symbol.toPrimitive

Uncategorized
One moment it worked the next it didn't.  Why proxmox would be fingerprinting the console is beyond me.  It shouldn't be. What's happening is that if you have canvas blocker then launching the console for a VM it can cause this error message.  Disable canvas blocker and you will be able to connect again properly. Now to find a way to keep canvas blocker enabled and get in.  As I said it worked one minute then not the next.  Did they update canvas blocker? I disabled it and launched the VM again from within Proxmox.  That worked.  I then turned canvas blocker back on and tried again.  Nope, wouldn't launch. I then decided to leave it enabled and I closed the browser and then relaunched and tried again.  This worked. …
Read More

Starting with Windows 10 version 1803 Windows 10 will no longer make copies of your registry files. This is quite dangerous and not having it can be of grave concern.

Uncategorized
Windows itself has one major failure and that is the registry.  This registry keeps all the settings for the operating system, the hardware, drivers, and varous components that go into making Windows work. https://www.ghacks.net/2019/06/29/microsoft-explains-the-lack-of-registry-backups-in-windows-10/ The problem is that this set of files that comprise the registry are no longer being periodically backed up by Windows 10 starting with Version 1803 and all subsequent versions. In my line of work having to deal with a bad registry can only be resolved by resorting to these backup files.  If the computer has a failing hard drive and this causes the registry to corrupt having a good version for the next reboot is important, even if it requires a little manual intervention.  Meaning, if I have to copy some files outside the OS…
Read More

Proxmox CIFS Network Storage Error “create storage failed: error with cfs lock ‘file-storage_cfg’: mkdir /mnt/pve/network-storage-backups/snippets: Permission denied at /usr/share/perl5/PVE/Storage/Plugin.pm line 1027. (500)”

Uncategorized
Samba needs to be configured (at the share location) to allow the user that you are connecting with to actually connect.  In Linux you can create a Linux user and grant that user samba access.  The samba password can be different than the Linux account password.  Before you can add a samba password to this user you must have created a Linux user.  If you already have a Linux user then you can just add that user to samba. Ensure you have your "smbpasswd -a" set for the user. This would be something like "sudo smbpasswd -a joe".  Enter the samba password that you want to add for this Linux user. On the Proxmox storage setup screen you enter the samba password instead of the Linux user's password unless they…
Read More

DNS Authentication with LetsEncrypt for wildcard certs with Namecheap as your registrar

Uncategorized
I'd been attempting to switch from http preferred challenges for cert renewal/verification.  The reason is that the certbot program fails in cases where if I have existing domains in the cert adding more domains or subdomains to existing certs fails.  Basically when you try to add new domains or where the subdomain is new to an existing domain that's listed in the cert, certbot using "--preferred-challenges http" fails with error messages that do not make sense to the average person, even those that that used Letsencrypt since their inception. In my case I had to add two domains to my cert and also to add a series of subdomains for each new domain to make the domain operate just like the existing ones would.  I also had to add a…
Read More