Network Engineering – Jean's Blog

Restored Article: SPF: The Foundation of Email Sender Authentication

The Sender Policy Framework (SPF) is a foundational email authentication technology. It enables a domain owner to specify, via a special DNS record, which hosts are authorized to send mail on behalf of their domain.

WireGuard VPN Setup: The Fast and Simple Guide for Linux and ChromeOS

You read my last post about StrongSwan and thought it was too complicated? I understand. WireGuard is the revolutionary, simple VPN solution that often proves faster and integrates better with modern operating systems like ChromeOS.

While I found my specialized IPsec connection to be slightly faster, WireGuard excels in ease of setup and client usability: the tunnel automatically resumes after sleep/suspend without manual intervention.

StrongSwan VPN: Mastering IKEv2 EAP-TLS and ChromeOS Client Integration

StrongSwan is the complete IPsec solution used to secure communication between servers and clients via mutual certificate-based authentication and encryption. This guide documents the necessary implementation steps for the highly secure IKEv2 EAP-TLS protocol, focusing on critical workarounds for seamless ChromeOS integration.

Suricata Performance: Resolving eBPF Bypass Failure via Manual Kernel Filter Compilation

Enabling eBPF (Extended Berkeley Packet Filter) bypass is the ultimate step in Suricata performance tuning. It allows the kernel to filter known-safe traffic (e.g., TLS data) before the packets reach the resource-intensive Userspace engine. However, this functionality often fails to work out-of-the-box.

Suricata IPS: Fixing Legitimate Traffic Drops by Disabling drop-invalid

I encountered a peculiar issue where my WordPress instance was unable to reach wordpress.org, and DokuWiki could not access its plugin repository. All standard network checks (wget, curl, DNS) worked fine, and no drops were registered by the standard firewall rules.

However, logging revealed a problem deep within the Intrusion Prevention System (IPS) layer.

OpenSSH Hardening Strategy: Auditing Policies and Mitigating Low-Strength Ciphers

OpenSSH ships with a default configuration that prioritizes high compatibility. However, this compatibility comes at a price: some of the included ciphers and algorithms may be outdated or contain known vulnerabilities. To strengthen the encryption and gain a transparent overview of known weaknesses, ssh-audit is the essential auditing tool.

Bogon Defense: Integrating Dynamic IP Blacklists into Suricata’s Reputation System

Bogon networks are IP address ranges that should never appear on the public internet, as they are either reserved or unassigned. Blocking these ranges is a fundamental and highly effective security measure. While this can be done with simple firewall rules, integrating the blocklist directly into the Suricata IP Reputation system is far more performant.

Suricata IPS: Building a Transparent Network Defense Layer with AF-Packet Bridging

Suricata functions as a powerful engine for Network Intrusion Detection and Prevention (IDS/IPS). This guide demonstrates how to set up Suricata as a transparent Intrusion Prevention System (IPS) within a KVM environment by replacing the kernel bridge with the high-performance AF-Packet mechanism.

Securing Email with MTA-STS and TLSRPT

What is MTA-STS (MTA Strict Transport Security)?

MTA-STS is a mechanism that enforces TLS encryption for your email communication. Think of it as HTTP Strict Transport Security (HSTS) for email. By instructing the sending mail server that a secure connection is mandatory, you can effectively mitigate or stop Man-in-the-Middle (MITM) attacks. The official abstract from the RFC puts it best: