Remotely unlock a full disk encrypted Fedora 40 server

What I have been doing in 2020 and before doesn’t seem to work anymore, ence it is time to publish a new episode of the saga: how to remotely unlock a full disk encrypted Linux machine. dracut-sshd still works perfectly even though the surroundings changed a bit. First step is instructing dracut to add dracut-sshd into initramfs: $ sudo dnf install dracut dracut-network openssh $ git clone https://github.com/gsauthof/dracut-sshd.git $ cd dracut-sshd $ sudo cp -ri 46sshd /usr/lib/dracut/modules.d Configure grub to instruct dracut to add networking to initramfs: …

Posted on

We are in the cloud

We are in the cloud, running on someone else’s computer.

Posted on

Mikrotik RouterOS WAN traffic sniff Suricata IDS

Preface: this is the poor’s man way of hooking up Suricata IDS to Mikrotik any router. Better ways would be using port mirroring or putting Suricata host directly in front of the router. My goal was to have all network traffic coming and going from internet mirrored into the suricata virtual machine. Network schema is the following: (internet) <-> routeros <-> debian_hypervisor <-> (linux bridge) <-> Suricata_VM There are few ways of doing this, the one which is in my opinion the lesser evil involves: …

Posted on

Monitoring DNS BIND with Zabbix

Shockingly enough out of the box Zabbix (version 6) does not include any template to monitor a very crucial compontent every organization: DNS. Like most open source aficionado my DNS of choice is BIND named. Luckily Zabbix has a pretty huge community and plenty of templates for it are freely available, a quick search on the interwebz lead me to this page. Kudos to whoever wrote this template, I just took it and tweaked it a little bit. …

Posted on

Sony WF-1000XM4 on Linux Fedora 35

Last week I converted myself to wireless earphones. I don’t consider myself an audiophile, I don’t have any deep knowledge of music but I kinda enjoy listening to it. Because of this I have had a few decent pairs of headphones, earphones and monitor speakers in my life; they all shared a thing: cables. Last week I pulled the trigger and bought myself my very first pair of wireless earphones: Sony WF-1000XM4. The main idea was to use them with the phone and maybe with work issued laptop which is running Windows, I did not even thought they would work with my Linux laptop. But to my biggest surprise they just work on Linux, no fiddling with bluetoothhcl or btmgmt; just enable BT in Gnome settings, long press for 5 seconds on both earphones to activate pairing mode and wait for them to pair. …

Posted on

Thinkpad T480 firmware update in Linux using fwupd

For the most part I never cared much about upgrading firmware because if it works don’t mess with it is usually my rule. I also don’t care much about having installed the latest version of Intel “““NSA botnet””” Management Engine, it is a piece of trash anyway so I might as well not have the latest updates. But since I have some issues with the NVME drive (very slow reads, it is most definitely dying) I figured a system wide firmware upgrade wouldn’t be a bad thing. The interwebz says the best way to upgrade firmware on Linux is using a tool called fwupd; it basically gives the user access to a massive repository of firmware which are provided and signed by hardware companies themselves. Dealing with closed source crapware and binary blobs always gives some headhace, of course having fwupd working was not free of any hassle: it downloads everything, gives no error/warning, but after rebooting nothing gets installed. …

Posted on

Debian QEMU/KVM bridged networking and VLAN

By default on every Linux distro after installing QEMU and libvirt two kinds of networking are available: NAT: VM sits behind a NAT. MACVTAP: without going into much details it acts more or less like a bridged network, except not really. One of the most annoying limitations is that host to guest communication and vice versa are not really working well. Other important things might be broken as well, like for example VRRP. This mode is good for quick and dirty testing but not really for a stable environment. BRIDGED networking is also supported by libvirt but requires some manual work. A possible networking schema could be the following: …

Posted on

Keepalived and libvirt MACVTAP network interfaces

Keepalived is a routing software written in C that can be used to setup load balancing and high availiability for Linux machines. NOTE: hypervisor is Debian 10 (Buster) with libvirt and qemu/kvm, virtual machines also are Debian 10 (Buster). Keepalived configuration Install keepalived: $ apt install keepalived Install nginx, it will be use to check that keepalived is actually working: $ apt install nginx $ systemctl enable --now nginx Configure keepalived: $ vi /etc/keepalived/keepalived.conf --- global_defs { enable_script_security # prevents tampering with the check script script_user root # defines which user runs the check script } vrrp_script chk_nginx { script "/opt/scripts/nginx-check.sh" interval 2 # run script every 2 seconds weight 2 # add 2 points if OK } vrrp_instance VI_1 { interface enp2s0 # interface to monitor virtual_router_id 51 priority 101 # MASTER 101, BACKUP 100 advert_int 1 nopreempt # comment to not have the VIP go back to MASTER # -> when it comes back online authentication { auth_type PASS auth_pass myPass # maximum 8 chars } virtual_ipaddress { 10.10.0.12/24 # VIP (Virtual IP Address) } track_script { chk_nginx } } Also add a script to check if nginx is alive and well: …

Posted on