Fail2Ban+Nginx (blocking repeated 404's, etc)

Posted on Mon 16 March 2020 in Tech • Tagged with Tech, Security, Linux

After hosting a mail server for a few years, I've gotten tired of seeing alllll the 404 attempts in my daily logwatch. Fail2Ban can help here really well, and it turns out to be really easy.

Start with nano /etc/fail2ban/filter.d/nginx-4xx.conf (I'm counting on your running Debian and having things in default locations here), and enter the following:

[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex =

Note: Make sure you use a capital 'D' in Definition there.

Now, edit your /etc/fail2ban/jail.conf …


Continue reading

sa-compile failing during upgrade

Posted on Sun 15 March 2020 in Tech • Tagged with Tech, Linux

I just spent an hour troubleshooting the most ridiculous thing. I guess to help people search, I'd describe this as "dpkg failing at sa-compile in Debian 10" but that's really not a good picture of what's happening here...

Setting up sa-compile (3.4.2-1~deb9u3) ...
Running sa-compile (may take a long time)
/bin/sh: 1: x86_64-linux-gnu-gcc: Permission denied
make: *** [body_0.o] Error 126
command 'make PREFIX=/tmp/.spamassassin22062Ifq5yDtmp/ignored INSTALLSITEARCH=/var/lib/spamassassin/compiled/5.024/3.004002 >>/tmp/.spamassassin22062Ifq5yDtmp/log' failed: exit 2
dpkg: error processing package sa-compile (--configure …

Continue reading

FreeNAS finally supports ECC crypto!

Posted on Sun 02 February 2020 in Tech • Tagged with Tech, Networking

Woo! FreeNAS finally supports ECC crypto for it's SSL certificates in 11.3!

I reported this as a bug almost exactly two years ago, and kept having to do nasty workarounds to make it work every time I installed an update. Very happy that it's finally sorted and I can use my proper shiny elliptic curve SSL setup! :)


Continue reading

Fortinet SSL VPN Certificate extensions

Posted on Sun 19 January 2020 in Tech • Tagged with Tech, Security

If you're setting up a new SSL VPN with certificate authentication, and if you already have an internal PKI, you're probably considering using your internal certification authority to create the SSL keys and certificates for your VPN clients. Awesome! This is a great and easy way to do this job.

But there's a dearth of information on the Interwebs regarding what Extended Key Usages you need to have enabled in your Certificate Template for these. There are a heap available, including Email Signing, Timestamping, Code Signing, IPSec SSL things (about …


Continue reading

Zentyal 6.0 to 6.1 upgrade getting stuck

Posted on Tue 17 December 2019 in Tech • Tagged with Tech, Security, Linux, Mail

So I faced a little challenge with a Zentyal server the other day. I was upgrading from ye olde 6.0 to 6.1, when everything just stopped. I let it sit in the corner for about an hour or so, but it never picked up the thread. All the services were still live, so I logged in to have a look.

Running ps aux, I discovered this line:

sh -c /usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/x2M7gkZVvm.cmd 2> /var/lib/zentyal/tmp/stderr

So, I …


Continue reading

StarCraft Remastered broken under Wine

Posted on Mon 09 December 2019 in Tech • Tagged with Tech

I know this post is only going to be relevant for a couple of weeks, but today I tried to launch StarCraft Remastered under WINE and it crashed.

Pertinent info: StarCraft Version 1.23.2.6926 WINE version 4.20-staging Battle.Net version 1.18.0.11698

Fix was to open the Battle.Net settings -> Game Settings -> "Launch 32-bit client (instead of 64-bit)"

Apparently the 64-bit version has become the default sometime since I last played it (October?!): https://us.forums.blizzard.com/en/starcraft/t/enabling-64-bit/458/7


Continue reading

Inside the Check Point 1180

Posted on Sun 28 April 2019 in Tech • Tagged with Tech

I've got a spare Check Point 1180 here, and I'm fiddling around with it a bit. Learnings so far:

  • Platform: ARM
  • CPU / RAM: ARM926EJ-S, 512MB RAM
  • System board: Marvell RD-88f6281A LE

Continue reading

When a docking station wrecks your breakfast

Posted on Sat 23 February 2019 in Tech • Tagged with Tech

It's been a while since I posted, but we bumped into something completely batshit crazy at work that I just had to share.

One of my colleagues was setting up a new computer, and was unable to RDP into the new build. He kept getting the error message "Your session ended because there was a data encryption error. If this keeps happening, ask your admin or tech support for help."

"Your session ended because there was a data encryption error."

We'd never experienced this error before, and - although the internet knew about it - there were not very many helpful hits …


Continue reading

New things I didn't know about Wireguard

Posted on Thu 27 December 2018 in Tech • Tagged with Tech, Security, Wireguard, Networking, Linux

This is part of my brief series on Wireguard. I'm pretty enamoured with Wireguard and the way it works, and I've been using it pretty seamlessly for over a year now. I've learned a couple things that weren't immediately obvious though, so I'm documenting them here.

Easy Provisioning

Samuel Holland mentioned an interesting trinket, in his post at https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html:

"[...] WireGuard will ignore a peer whose public key matches the interface's private key. So you can distribute a single list of peers everywhere …


Continue reading

When AppArmor eats your breakfast

Posted on Mon 19 March 2018 in Tech • Tagged with Security, Tech, Linux

I've knocked heads with AppArmor a few times now. To be quite honest with myself, I think it's primarily because I install it, enable all the plugins, and then forget it's there until there's a problem.

TL;DR:

On a fully-updated Zentyal 5.0 system running DHCP, the AppArmor profile in /etc/apparmor.d/usr.sbin.dhcpd will prevent isc-dhcp-server from restarting itself after an upgrade.

More search-type words: Zentyal dhcp server doesn't start again after upgrade. isc-dhcp-server graceful shutdown, but no restart.

This frustration-laden, Google-friendly equivalent of speaking slowly …


Continue reading