Last year I installed an IoT home security system; back then I did not bother to connect it to the internet mostly because of my own laziness but also because IoT most of the times rhymes with: overpriced crap prone to also being a security nightmare. I am not going to name the brand, but it is fairly well known and its pricing is not on the cheap side (€ 700 for main unit and external keyboard). Hardware wise it is well made, just by looking at it one could tell that quite some engineering was poured into it, it has all kind of expansion cards and the quality seems more than decent. Software, hard to say though. Just to be on the safe side, I have put it into its own network segment which is segregated from the rest of the network. …

What I have been doing in 2020 and before doesn’t seem to work anymore, ence it is time to publish a new episode of the saga: how to remotely unlock a full disk encrypted Linux machine. dracut-sshd still works perfectly even though the surroundings changed a bit. First step is instructing dracut to add dracut-sshd into initramfs: $ sudo dnf install dracut dracut-network openssh $ git clone https://github.com/gsauthof/dracut-sshd.git $ cd dracut-sshd $ sudo cp -ri 46sshd /usr/lib/dracut/modules.d Configure grub to instruct dracut to add networking to initramfs: …

We are in the cloud, running on someone else’s computer.

Preface: this is the poor’s man way of hooking up Suricata IDS to Mikrotik any router. Better ways would be using port mirroring or putting Suricata host directly in front of the router. My goal was to have all network traffic coming and going from internet mirrored into the suricata virtual machine. Network schema is the following: (internet) <-> routeros <-> debian_hypervisor <-> (linux bridge) <-> Suricata_VM There are few ways of doing this, the one which is in my opinion the lesser evil involves: …

Shockingly enough out of the box Zabbix (version 6) does not include any template to monitor a very crucial compontent every organization: DNS. Like most open source aficionado my DNS of choice is BIND named. Luckily Zabbix has a pretty huge community and plenty of templates for it are freely available, a quick search on the interwebz lead me to this page. Kudos to whoever wrote this template, I just took it and tweaked it a little bit. …

Last week I converted myself to wireless earphones. I don’t consider myself an audiophile, I don’t have any deep knowledge of music but I kinda enjoy listening to it. Because of this I have had a few decent pairs of headphones, earphones and monitor speakers in my life; they all shared a thing: cables. Last week I pulled the trigger and bought myself my very first pair of wireless earphones: Sony WF-1000XM4. The main idea was to use them with the phone and maybe with work issued laptop which is running Windows, I did not even thought they would work with my Linux laptop. But to my biggest surprise they just work on Linux, no fiddling with bluetoothhcl or btmgmt; just enable BT in Gnome settings, long press for 5 seconds on both earphones to activate pairing mode and wait for them to pair. …

For the most part I never cared much about upgrading firmware because if it works don’t mess with it is usually my rule. I also don’t care much about having installed the latest version of Intel “““NSA botnet””” Management Engine, it is a piece of trash anyway so I might as well not have the latest updates. But since I have some issues with the NVME drive (very slow reads, it is most definitely dying) I figured a system wide firmware upgrade wouldn’t be a bad thing. The interwebz says the best way to upgrade firmware on Linux is using a tool called fwupd; it basically gives the user access to a massive repository of firmware which are provided and signed by hardware companies themselves. Dealing with closed source crapware and binary blobs always gives some headhace, of course having fwupd working was not free of any hassle: it downloads everything, gives no error/warning, but after rebooting nothing gets installed. …

By default on every Linux distro after installing QEMU and libvirt two kinds of networking are available: NAT: VM sits behind a NAT. MACVTAP: without going into much details it acts more or less like a bridged network, except not really. One of the most annoying limitations is that host to guest communication and vice versa are not really working well. Other important things might be broken as well, like for example VRRP. This mode is good for quick and dirty testing but not really for a stable environment. BRIDGED networking is also supported by libvirt but requires some manual work. A possible networking schema could be the following: …