Fail2Ban Behind a Reverse Proxy: The Almost-Correct Way

Fail2Ban is a wonderful tool for managing failed authentication or usage attempts for anything public facing. However, by default, it’s not without it’s drawbacks: Fail2Ban uses iptables to manage it’s bans, inserting a --reject-with icmp-port-unreachable rule for each banned host. The thing with this is that I use a fairly large amount of reverse-proxying on this network to handle things like TLS termination and just general upper-layer routing. Since it’s the proxy that’s accepting the client connections, the actual server host, even if its logging system understands what’s happening (say, with PROXY protocol) and logs the real client’s IP address, even if Fail2Ban puts that IP into the iptables rules, since that’s not the connecting IP, it means nothing. What I really need is some way for Fail2Ban to manage it’s ban list, effectively, remotely. Luckily, it’s not that hard to change it to do something like that, with a little fiddling.

Continue reading

AbuseIPDB Checking With Postfix

Updated Dec 31, 2021

So if you’ve not heard, there’s this website called AbuseIPDB, which, no affiliation, is a website where webmasters can submit reports of abusive IP addresses, and then query those reports, either manually, or using their REST API. And this is how I did exactly that, to help cut down some of the spam on my email server. Let’s get started.

Continue reading

QMQP: That Other Mail Transfer Protocol

Everyone (okay, everyone this is relevant to) knows what SMTP is, the standard for mail transfer. It’s even in the name, Simple Mail Transfer Protocol, which is how mail servers have been sending mail to other mail servers since… a while. Well, fun fact, there’s another protocol that accomplishes the same goal: QMQP, the Quick Mail Queuing Protocol.

Continue reading

How DNSBLs Work

Ff you’ve dealt with email for any longer than 5 minutes (as an administrator), you already know it’s a mess. There’s so many security measures, so many checks, so many things to combat bad actors and spam. What if we had some way to have some service publish a list of bad DPs, and mail servers could quickly check that mid-transaction so they can have up-to-date information as to if the in-flight message should actually be accepted or not?

Well, we have exactly that. Enter: the DNS Blacklist.

Continue reading

Graylog, and the Syslog Protocol, Explained

So if you’ve tried enterprise log management systems, you’ve likely heard of Syslog. If you haven’t, Syslog, is, well, a protocol designed to allow multiple hosts to send their system logs over the network to some other server where they can be analyzed and stored. It’s another one of those weird UDP protocols, and this one is actually stupid simple, even in both of the commonly used forms! Oh, we’ll also cover the one piece of software that I use that handles Syslog — Graylog, which by itself is also really cool.

Continue reading

Moving From Sophos UTM 9 to pfSense

Updated May 4th, 2021

Yeah I figure why not, at the same time that I’m replacing another key piece of network infrastructure, I might as well just replace the (second) most important piece, right? So cue the music, because…

Now, this is a story, all about how my life network got flipped, turned upside down, and I’d like to take a minute, just sit right there, I’ll tell you how I became the prince of a town called Bel Air the owner of a… just… just cut the music. Let’s begin.

Continue reading

Ah Yes, the SIMPLE Network Management Protocol

If that title isn’t a dead giveaway, I’m not happy. But yet I will somehow manage to vent my frustrations and explain something at the same time. Today: SNMP, or, “How to gather lots of stats on remote machines,” or, “Because you thought CVS was hard to wrap your head around.”

Continue reading

Teknikaldomain.me Website Architecture Overview

So I just checked in with initialcommit.com, the website run by Jacob Stopak, the same person I collaborated with to help explain the internals of version control systems, not once, but twice even. And he published an overview of how he made the site, and what tools he used. As I was looking, I noticed, we took a very different approach to get to two similar endpoints.

If you just want to see what I did, read on. If you want to see the differences, or are just curious about the various ways that sites can be built, read his first, then come back with that knowledge in mind.

Continue reading

Complying With the Latest Security Policies

Modern websites and modern browsers support a wide range of security features to communicate specifically what is and is not allowed to be loaded, executed, or sent over the network. Being the person that I am, I’m going to comply with the latest guidelines and best practices as much as I can… and it’s a headache.

Continue reading
Older posts