Tek's Domain

#<NTA:NnT:SSrgS:H6.6-198:W200-90.72:CBWg>

Narration for Posts, for You!

If you’ve clicked on this post itself, you’ll notice there’s a sound file at the top. That’s because if you click it, or hit the P key, you’ll hear… me, reading this! I’m working on adding this to old posts one by one, so you might see that popping up eventually. But, partially for accessibility, and partially just to make these sort of ramblings easier to take in while only half paying attention or just doing something else entirely, I’m putting audio narration on every post here that I can.

Continue reading

Fail2Ban Behind a Reverse Proxy: The Almost-Correct Way

Fail2Ban is a wonderful tool for managing failed authentication or usage attempts for anything public facing. However, by default, it’s not without it’s drawbacks: Fail2Ban uses iptables to manage it’s bans, inserting a --reject-with icmp-port-unreachable rule for each banned host. The thing with this is that I use a fairly large amount of reverse-proxying on this network to handle things like TLS termination and just general upper-layer routing. Since it’s the proxy that’s accepting the client connections, the actual server host, even if its logging system understands what’s happening (say, with PROXY protocol) and logs the real client’s IP address, even if Fail2Ban puts that IP into the iptables rules, since that’s not the connecting IP, it means nothing. What I really need is some way for Fail2Ban to manage it’s ban list, effectively, remotely. Luckily, it’s not that hard to change it to do something like that, with a little fiddling.

Continue reading

AbuseIPDB Checking With Postfix

Updated Dec 31, 2021

So if you’ve not heard, there’s this website called AbuseIPDB, which, no affiliation, is a website where webmasters can submit reports of abusive IP addresses, and then query those reports, either manually, or using their REST API. And this is how I did exactly that, to help cut down some of the spam on my email server. Let’s get started.

Continue reading
The PeerTube player can not be loaded with disabled JavaScript.
The following video is embedded here:
https://vids.tekdmn.me/w/w7WGHX7Lb6mCrbrpF3Xb8V

A Professional Amateur Develops Color Film

Oh don’t worry, there’ll be more detail on this one soon. But as I’m still (slowly) working through stuff to write, enjoy me remembering that I have PeerTube integration, but more importantly, enjoy me panicking as I don’t know what I’m doing with this.

IPv6 Is a Total Nightmare — This is Why

New and improved!

So this is just going to be a total rant. IPv6 is, in theory, a solution to many things, including the dwindling IPv4 address space. IPv6 was officially a draft in 1997, and became a real Internet Standard in 2017. And, quite frankly, it’s one of those things that, in my opinion, just adds too much hassle for not enough benefit.

Take 2 this time. More facts. Clarified points, same worthless opinions.

Continue reading

What Exactly Is Federation, Anyways?

Federation, the driving name behind decentralized and self-hosted software. But what is ‘federation,’ really? Well, there’s the really complex answer, and the simple answer. The simple answer is that federation is when multiple unrelated instances of a piece of software are capable of communicating and sharing between one another. The long answer, well, if you want to see that, then…

Continue reading

OTR: Encrypted Instant Messaging

Yes, for once, I have not just some app for secure messaging, this time, it’s a protocol. OTR, or Off-the-Record Messaging, is a protocol for establishing end-to-end encrypted messaging between two participants over a standard instant messaging channel like IRC or XMPP (Jabber). It also allows for deniable authentication, where during the conversation you can be assured that only you two are talking, but after the conversation, there is no way for an outside third party to 100% prove you talked, since it’s theoretically possible for an attacker to have forged the communications record. It’s complicated, but not too hard to wrap your head around.

Continue reading

QMQP: That Other Mail Transfer Protocol

Everyone (okay, everyone this is relevant to) knows what SMTP is, the standard for mail transfer. It’s even in the name, Simple Mail Transfer Protocol, which is how mail servers have been sending mail to other mail servers since… a while. Well, fun fact, there’s another protocol that accomplishes the same goal: QMQP, the Quick Mail Queuing Protocol.

Continue reading

How DNSBLs Work

Ff you’ve dealt with email for any longer than 5 minutes (as an administrator), you already know it’s a mess. There’s so many security measures, so many checks, so many things to combat bad actors and spam. What if we had some way to have some service publish a list of bad DPs, and mail servers could quickly check that mid-transaction so they can have up-to-date information as to if the in-flight message should actually be accepted or not?

Well, we have exactly that. Enter: the DNS Blacklist.

Continue reading
Older posts