08May 2020 by Jim Blaich

Proxmox Container Fails to Start on New Setup

Uncategorized
Proxmox is set up in an exceptional way, except one. That is obviousness for certain features.  It tries but fails.  Here's what I mean. When set up proxmox you tell it to create storages.  In my case I have the SSD that I installed promox onto.  It sets up a small portion for the OS and the remainder is left to allow for you to use as you see fit.  In my case I always set up a second drive or array of drives.  This is where all my containers go and is typically much larger than the boot drive that promox was installed on. Here's the issue that I dealt with yesterday and today.  I set up an email container based on Ubuntu 18.04 LTS.  In here I installed…
Read More
23Apr 2020 by Jim Blaich

Server Maintenance and Upgrades.

computers, Linux
The file server has been running for years without issue.  It still is.  The other day I thought I’d do a disk test on the drives in the raid array. In order to have enough drives in the system I had to add a raid card.  These are the cards found in Dell servers that can be modified to turn on IT mode allowing SATA drives.  When you get them you modify the firmware in DOS of all things, but it is super simple.  And then you buy 1 or 2 cables with 4 SATA ends for the drives.  I say 1 or 2 because there are two ports on the card where you can plug in a 4 port SATA cable enabling 8 total.  With a 2nd card you…
Read More
08Apr 2020 by Jim Blaich

Netgear R8000 VPN travails

Android, Linux, Netgear, Port Forwarding, ports, VLAN, VPN, Windows
Lots of problems using this router for VPN services.  They don't allow accounts and they all use the same cert.  If you have to withdraw a cert from someone you do it for everyone.  Not a good idea. Here's the issue.  VPN was turned on, and configured as default -- using default ports for both TCP and UDP.  Normally you'd use 1194 but this defaults that you use 12973 and 12974 respectively for protocols.  Not sure why.  Why would you need two ports for this when frankly openvpn uses UDP by default? Anyway, nothing we did would make this work.  Multiple checks against settings.  Testing from remote locations with multiple clients.  A sifting of the openvpn configuration files.  Ensuring certificates and keys were in place.  Nothing would work. I attempted…
Read More
28Mar 2020 by Jim Blaich

Blocking Annoyance Sites Like Stretchoid

Uncategorized
These guys claim to be researchers.  They are researchers with over 24,000 IPv4 addresses?  Something's fishy here. On most systems you have a firewall.  You have a firewall at your router and you have a firewall at your workstation. In Linux you may use iptables and/or UFW.  The goal of these is to block IP addresses of users that you believe are nefarious or have no reasonable need to even be looking at your computer. For instance, someone sending you email is a reasonable use.  Someone visiting your website is reasonable use.  Someone testing the ports on your email or web server is not reasonable.  In the strictest word those should be banned at the very first attempt to scan or break in. In Linux you have UFW that can…
Read More
23Mar 2020 by Jim Blaich

Apache Redirects

Uncategorized
You would not believe the clusterfuck this is.  Apache is so worried about backwards compatibility that just blowing away what others have done to jury rig their systems to make them work properly is thought as something that would be a nightmare. Yes, a nightmare it would be, but at some point it has to be done.  The problem is that the context of the settings, directives, mods, proxy, etc are so ill documented and are so poorly implemented and there are so many know nothing Joe experts out there that getting a solid understanding of what is actually happening to make this all work just isn't possible.  Not for mortal man that is. Yeah, many will claim they aren't mere mortals (the supposed experts) and that you should go…
Read More
22Mar 2020 by Jim Blaich

Rsyslog and fail2ban — reload fail2ban if you add new remote logging

Uncategorized
If the purpose of implementing rsyslog is to store logs that's good.  If you get all the logs in one place and you don't use those to implement security with fail2ban well we have to question your sanity.  Not really, but it would be a good idea to consider that.  This post is about one thing I noted when setting this up. I'd initially set up rsyslog on my containers and then thought about setting it up on all containers/computers that had exposed ports to the internet for any service.  That brought to mind my SSH jump server. My opinion of security is pretty strict.  If you try to get in and you aren't supposed to for any reason you are banned for life, period.  I won't debate it.  My…
Read More
19Mar 2020 by Jim Blaich

Security: Apache Reverse Proxy, fail2ban, rsyslog, forwarding public IP

Uncategorized
What do all these have in common?  SECURITY! When you run multiple websites and you want to split those off to different computers or containers for the purpose of security or load balancing you need to run a reverse proxy.  Apache has a mod for that.  The problem is that this mod does not forward the actual IP of the computer visiting the site, instead it sends to the container/computer (let's call them "containers" from this point forward) the IP of the reverse proxy.  This means you can't use fail2ban to scan the logs to block bad actors.  BIG SECURITY ISSUE HERE. In order to scan for bad actors you use fail2ban.  It has jails that look for specific types of activity such as failed login attempts.  If it finds…
Read More
28Feb 2020 by Jim Blaich

Proxmox Mail Gateway Implementation

Uncategorized
This little virtual appliance is useful to keep spam and other malicious content from reaching your email server.  Last week I was successful at moving my physical email server install to a "container" in Proxmox.  That was one of my long term goals.  This means the email is backed up regularly and I can move it to another machine easily.  While doing this I thought that I'd like to look at the Proxmox Mail Gateway.  I use pfsense to do a lot of spam blocking.  I also have a customer that doesn't use pfsense.  When I look at their daily report I see tons of attempts by bad guys to get in.  In my case I know pfsense is blocking that.  That meant that when I was thinking about the…
Read More
05Feb 2020 by Jim Blaich

My Nexus 7 is dying.

Uncategorized
This Nexus 7 has been a workhorse for me in so much as it has continued to work with not much difficulty even though it is many years old.  It has not been without its issues, however, it was always there for me to grab it when I needed it.  It's not that I push it, rather it's that I've used it for a long time as my portable device for taking notes and looking things up.  I use it also for things like Termux (a great terminal shell, and much more), playing cards on break, etc. Well it is dying.  One issue is that for a long time it would not auto-rotate, and sometimes I would have issues with it reacting to touch.  The solution was either to "tap"…
Read More