While there are plenty of IOT security cameras that promise privacy, none of them really do. Eufy recently got busted for secretly accessing peoples' feeds, Unifi got breached, and literally every off-shore IOT device is slurping as much metadata (and regular data) off your devices as they possibly can. It’s not hard to understand a need for secure and private home security devices.
Despite its age and legacy, ZoneMinder is still by far the most capable and complete solution for this.
With Mastodon quickly becoming a refuge for former bird-site users fleeing the new regime, many are considering self-hosting their Fediverse instance. There’s many good reasons to do this, such as privacy, data ownership, or even maintaining consistent performance while larger communities struggle to on-board an influx of new users.
But, as always, self-hosting means new responsibilities! In this case, to ensure that the data is safe and secure, operating correctly, and to ensure that the server is not disseminating malware.
Several admins and developers like automatically updating their servers with new builds as they become available. Commonly known as “CI/CD”, this process allows teams to iterate much faster and speed up product development.
Often, this is simply pulling from a repo and running a couple docker-compose commands, which is very easy to automate.
A bad way to do this is using a cron job that runs every 10 minutes to pull from the repository and execute any commands.
This guide is for an advanced Debian GNU/Linux installation using the ZFS storage system with an encrypted root volume for security and privacy. It will also be upgraded from the current Stable release (Bullseye) to the rolling-release Unstable version (Sid).
ZFS has long been considered the last word on advanced storage developments. With its advanced safety, efficiency, and performance mechanisms it’s easy to see why it’s popular in the storage world, DIY and enterprise alike.
Since late 2018, I had been a full-time Arch Linux user. At that time, it was worth it for me to spend the extra time dealing with Arch’s quirks, meticulously updating my AUR software, fiddling with all-manual configuration, and manually migrating any software between major versions whenever Pacman updated them. It was both a great learning experience, and… well… A bit of a waste of time ;)
Needless to say, things have changed in my life since then, and I now place a much larger emphasis on ‘boring’ stuff.
Log aggregation systems are fantastic. As are time-series metrics databases. But that’s not what this post is about. These methods aren’t a replacement for those systems at all, but a basic way to implement the core basics of monitoring and alerting.
You see, the strength of a SIEM or log aggregation system is its numbers. It correlates data from hundreds or thousands of sources, giving very important insights about overall system usage patterns, login activity, audit trails, and more.
I recently installed Debian Bullseye on an old Intel NUCCAY6H mini PC I had lying around. It’s a great little device for a home server, as it’s very cheap, fits 16G of memory, and with 4 mini-cores it’s no slouch.
The first install attempt didn’t go well, with missing firmware for the NIC causing hanging for a couple minutes during boot. This happens quite a bit with Debian’s hard-line stance on binary blobs, so I re-installed with the non-free install media.
The latest announcements for Windows 11 have revealed that the next version of the Windows operating system will have very stringent hardware requirements. Some of them are, in my opinion, quite reasonable. For example, they’re finally dropping support for 32 bit X86 and legacy BIOS boot. These make sense, because almost every PC manufactured since 2011 has supported X64 and UEFI. It also sheds a substantial amount of technical debt and cruft, and simplifies the system slightly.
This is the story of the most awful SSL certificate I have ever made. This was done entirely for my own amusement, and for the minute possibility that I could make somebody I don’t like miserable.
Now, why on earth would I want to do this? Well, I don’t particularly respect scanner people. Their scanners are annoying, their tools always suck, and they create tonnes of noise in my logs that I don’t like.
Across the street from my apartment is a house which has been in a perpetual state of renovation for nearly six months. This past week, a for sale sign has popped out of the ground just in time for the spring rush.
It turns out, the man who bought the house did so about a year ago with the sole purpose of renovating and flipping it to make a quick buck.
There’s always been a kind of temptation from the proverbial ‘other side of the fence’ when it comes to Unix-like operating systems. This idea that there’s an entirely separate and similar, but entirely distinct system from what I’m used to is exactly what’s pulled me towards OpenBSD today. As somebody experienced with almost every mainstream Linux distro, I wasn’t entirely sure what to expect.
Visiting the website (openbsd.org), the first thing I noticed was how dense and concise the documentation was.
One of the worst parts of modern life is how unsatisfying it is to hang up on somebody. Tapping on the ‘End Call’ button on an iPhone or angrily clicking ‘Leave Meeting’ on Zoom just isn’t nearly as fun as slamming down the handset on a real phone.
This particular project was to breathe some life into the antique Northern Telecom phone from my grandparents' house by attaching it to a modern VoIP system.
I installed Gentoo Linux on my vintage Thinkpad. This particular device has a rather colourful history. In mid 2015 I recovered it from an e-waste pile at my workplace and brought it back to life. In the years since, it’s been a playground of sorts. In five years it’s had four editions of Windows, three versions of BSD, exotic operating systems like Redox and ReactOS, and of course dozens of different Linux distributions.
Today I got yet another malware email. They just won’t leave me alone. I suspect it has to do with the upcoming US election, based on all the CISA alerts I’ve seen over the last couple days.
However, after going down the rabbit hole with this malware I do suspect that whatever is behind it is more sophisticated than a simple ransomware gang. I won’t speculate too much, but because of its highly distributed and evasive design it could be the work of a larger enterprise.
I recently started using a TP-Link C7 router to host a guest network at my house. I typically avoid consumer/prosumer gear for my network, sticking to either whitebox (homemade) or older enterprise gear. Alas, the price was right ($0). Every time I do encounter one of these devices I always manage to find something fun and interesting to poke…
Bad SSH server First red flag was the sshd server running on this router.
About two weeks ago, I upgraded my single node ElasticSearch cluster from 6.8.6 to the latest 7.9 version. Last night, all hell broke loose…
The upgrade itself wasn’t perfect. There were some issues with my setup that the helpful “Upgrade Assistant” didn’t pick up before I had already committed. I was missing a few formerly optional parameters in my elasticsearch.yml config file, there were some odd field mappings that weren’t supported any more, and some date format issues with my grok scripts.
Today, I got an email inquiring about a job opportunity. This was immediately pretty funny, since I don’t employ anybody including myself. Even better, the guy sent a Microsoft Excel file as the ‘resume’, so even if I was hiring… Sorry bud, not going to be you.
Now normally I just delete these documents and report spam. But seeing as how I’m locked into my house and have nothing better to do right now, I figured I might as well have some fun with this.
For many years we’ve taken for granted the ability to settle any argument with Wikipedia. For so long, we’ve been able to settle any trivial dispute with a simple text search.
That could change. I’m not really trying to fear-monger, but it’s always possible that the internet might go out and stay out. And like hell I’m going to sit in quarantine with my partner and not be able to settle up with Wikipedia!
Do you live in North Korea or Iran? Is your totalitarian government cracking down on dissidents? These are serious concerns for some, but for the rest of us it might be time to re-think the modern threat model.
Why to people use VPN services? I think at the very core of the VPN subscription market is the belief that as a consumer it’s possible to buy privacy. That’s simply wrong. Privacy is a process, not a product.
TL;DR The default settings for Logstash index rotation are bad and will break your cluster after a few months unless you change the rotation strategy.
If you’re anything like me, you probably read somebody’s cool blog about how awesome ELK stack is and just had to have a piece of it. So you went through the quick start guide, googled your way through getting it up and running, then BAM you had an awesome logging system with all the bells and whistles!
Do you ever just update everything?
There’s a few times you might need to do this. For example, some nasty vulnerability comes along and ruins your week.
Or maybe you just want to be super up to date because you have a strange compulsion to have the latest and greatest of everything. Ether way, here’s my solution:
Use Ansible inventories to update all your servers I wrote this playbook as a simple way to ‘freshen up’ my homelab after months of neglect.
Stop putting your ssh keys on GitHub!!!
For that matter, stop putting your keys in any kind of repository. Seriously, your private keys are private for a reason.
Okay, let’s back up a little here. This morning some articles made their rounds about Cisco distributing network device firmware with keys and certs embedded in them. Now that happens all the time (ugh) but in this particular case, they were the keys of presumably a Huawei employee.