FreeBSD network performance on KVM/Qemu

Today I red an article that was comparing Fedora 29 and FreeBSD 11.2 network performance in a KVM/Qemu environment. Since I use KVM/Qemu and also Fedora and Freebsd I powered on a couple of vm and did my own tests. Results are quite interesting, I expected FreeBSD to be faster but it turns out Fedora 29 actually is. Host system configuration: CPU: Ryzen 7 1700x @4 GHz Motherboard: Gigabyte X370 K7 - BIOS F23d RAM: 2x16 GB DDR4 @3133 MHz CAS 16 HDD: Some Samsung SSD Operating systems Host: Fedora 29 x86_64 Fedora VM0: Fedora 29 X86_64 Fedora VM1: Fedora 29 X86_64 FreeBSD VM0: FreeBSD 11. …

Posted on

Nginx and XMPP over TLS

XMPP over TLS (formerly XEP-0368) is a clever mechanism that allows users to connect to a XMPP server from networks that restrict outgoing traffic only to specific ports; this block is circumvent by routing XMPP traffic via port TCP 433. If the server hosts only a XMPP server setting up XMPP over TLS is pretty easy, just instruct the server to listen on port 443. If the server also runs a webserver which is listening on port 443 things are a bit more complicated; luckily Nginx provides a way to manage XMPP traffic and redirect it to the XMPP server. …

Posted on

GNU TAR and memory caching

Guess it is time to write my first post using Hugo. Yesterday I downloaded a torrent consisting of 2 years worth of 4chan posts, the plan was to mess with it and use the data to train a chatbot. Dealing with big datasets is always fun because even the easiest tasks tend to get complicated, for example extracting the data from a ~3 GB tar.gz compressed archive was a challenge by itself. …

Posted on

CentOS 7: failed to open \efi\centos\grubx64.efi

For some reason one of my CentOS 7 boxes decided to nuke itself yesterday, when I powered it on it prompted me with the following error: “failed to open \efi\centos\grubx64.efi”. What I did to fix it is: Boot up a rescue USB, mount the required partitions and chroot. Add a DNS server: $ echo "nameserver *.*.*.*" >> /etc/resolv.conf Enable networking using ifconfig (in my case it was already enabled). …

Posted on

Remote encrypted backup with iSCSI and LUKS2

The idea here is to have a LUKS2 encrypted volume stored on a remote server that allows authenticated clients to load and decrypt the data without letting the server know what is being written, read and stored. Keep in mind that this solution is not 100% bulletproof, you still kind of have to trust the backup server because a malicious entity might take multiple snapshots of the encrypted iSCSI LUN and try to crack the encryption. …

Posted on

LUKS2 the right way: Argon2

Version 2 of cryptsetup got a few new fancy options, one of them is the ability to use Argon2as key derivation function. Creating a LUKS2 volume with Argon2 as hash function is very easy: sudo cryptsetup luksFormat -M luks2 --pbkdf argon2id -i 5000 /dev/sdb Please note that grub still does not support it, so it can’t be used for boot drives. Once the volume is created, to mount it run: …

Posted on

Generate a secure SSH key

In Fedora, CentOS and probably many other Linux distros ssh-keygen; still defaults to RSA 2048. People have not yet realized that the newer, and also faster, elliptic curve cryptography is available; even between my peers I still see that many of them are using old and insecure RSA based keys. Since SSH clients support multiple keys transitioning to newer keys can be painless: create a new elliptic curve key; do not delete the old RSA key; once you login into a server swap the old key with the new one. …

Posted on

Generate a secure GPG key

For some reason gpg gen-key still defaults to SHA1 and RSA2048, due to the known weaknesses of SHA1 it is probably a better idea to use SHA256. First of all, we need to create a configuration file. cat ~/.gnupg/gpg.conf" --- personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed To generate a new key type (also specify to use RSA 4096): gpg --gen-key ### or gpg --full-generate-key Other useful commands are: …

Posted on