Posts in 2020

  • nginx ISP fence

    Tuesday, September 01, 2020 in Systems

    Sometimes the easiest way to geo fence an application is to just whitelist certain ISP’s networks only. Nginx has a handy way to map IPs into subnets using the geo module. Requirements job/aggregate6 to aggregate/unique-ify the prefix lists …

    Read more

Posts in 2016

  • ESXi 6up2

    Sunday, May 22, 2016 in Systems

    I recently installed VMware ESXi 6.0 Update 02 aka VMware vSphere Hypervisor on a server, and using the new VMware Host Client at https://<hostip>/ui/ was able to fully set up a Debian 8/Jessie guest using only the trial license. The HTML …

    Read more

Posts in 2014

  • SSLv3 Disabled

    Thursday, October 16, 2014 in Systems

    In response to the recent POODLE vulnerability in SSLv3, I have disabled SSLv3 support in anything of mine which speaks SSL/TLS. All connections are running TLSv1.0, TLSv1.1, or TLSv1.2 now. I have also reviewed the list of ciphers in the mozilla …

    Read more

  • CVE-2014-6271 - ShellShock

    Wednesday, September 24, 2014 in Systems

    Today various sources announced CVE-2014-6271: “bash: specially-crafted environment variables can be used to inject shell commands”. This is a serious risk on many Unix-like systems, as bash is a very popular shell, and included by …

    Read more

  • Deploying a Host-Specific Fail2Ban Config with SaltStack

    Saturday, August 16, 2014 in Systems

    Let me start this off by saying in this particular example, this is the wrong way to solve the problem. I should be learning more about fail2ban, and deploying files in the action.d and filter.d directories, however this is a really quick and dirty …

    Read more

  • Deploying Fail2Ban using SaltStack

    Sunday, August 03, 2014 in Systems

    One of the realities of having public facing SSH is the continual brute force attempts. I have 3 droplets at DigitalOcean, SGP1 and NYC2 get hit much more often than LON1. I thought about deploying SSH ACLs through SaltStack, but because all my …

    Read more

  • Deploying a Nameserver at DigitalOcean in 2 minutes

    Wednesday, July 23, 2014 in Systems

    One of the great things about DigitalOcean is that you can spin up a new small sized Debian VM in under 55 seconds. All that remains is to log in, add the Salt Debian repo, add the salt signing key, and then run state.highstate on the Salt master. If …

    Read more

  • Debian Package Caching

    Monday, July 07, 2014 in Systems

    By starting to use SaltStack to administrate my Debian VMs I’ve saved myself a lot of time logging into each machine, running apt-get update; apt-get upgrade. I’ve used proxies in the past, mostly on satellite links where bandwidth to the …

    Read more

  • Anycast Administration with SaltStack

    Tuesday, July 01, 2014 in Systems

    I’ve been playing with SaltStack for a week or so now, and while I still haven’t even scratched the surface of what it is capable of yet, I am certainly saving a pile of time using it already. I am now using it to maintain web directories …

    Read more

  • SaltStack Automation

    Wednesday, June 25, 2014 in Systems

    This week I changed that and set up a salt-master and several (OK, 10) salt-minions to take commands from the master. 8 local Debian Linux VMs, 1 Remote FreeBSD VM, and 1 remote Debian Linux VM. Getting starting with SaltStack is really easy. …

    Read more