INFRASTRUCTURE – Page 2

Automating Security Patching: Debian Unattended Upgrades

If you follow current IT security vulnerabilities, you’ll agree that keeping systems up to date is critical. Unattended Upgrades for Debian/Ubuntu offers a simple yet powerful way to automate this process, securing your infrastructure with minimal manual intervention.

WireGuard VPN Setup: The Fast and Simple Guide for Linux and ChromeOS

You read my last post about StrongSwan and thought it was too complicated? I understand. WireGuard is the revolutionary, simple VPN solution that often proves faster and integrates better with modern operating systems like ChromeOS.

While I found my specialized IPsec connection to be slightly faster, WireGuard excels in ease of setup and client usability: the tunnel automatically resumes after sleep/suspend without manual intervention.

StrongSwan VPN: Mastering IKEv2 EAP-TLS and ChromeOS Client Integration

StrongSwan is the complete IPsec solution used to secure communication between servers and clients via mutual certificate-based authentication and encryption. This guide documents the necessary implementation steps for the highly secure IKEv2 EAP-TLS protocol, focusing on critical workarounds for seamless ChromeOS integration.

Suricata Performance: Resolving eBPF Bypass Failure via Manual Kernel Filter Compilation

Enabling eBPF (Extended Berkeley Packet Filter) bypass is the ultimate step in Suricata performance tuning. It allows the kernel to filter known-safe traffic (e.g., TLS data) before the packets reach the resource-intensive Userspace engine. However, this functionality often fails to work out-of-the-box.

Suricata IPS: Fixing Legitimate Traffic Drops by Disabling drop-invalid

I encountered a peculiar issue where my WordPress instance was unable to reach wordpress.org, and DokuWiki could not access its plugin repository. All standard network checks (wget, curl, DNS) worked fine, and no drops were registered by the standard firewall rules.

However, logging revealed a problem deep within the Intrusion Prevention System (IPS) layer.

OpenSSH Hardening Strategy: Auditing Policies and Mitigating Low-Strength Ciphers

OpenSSH ships with a default configuration that prioritizes high compatibility. However, this compatibility comes at a price: some of the included ciphers and algorithms may be outdated or contain known vulnerabilities. To strengthen the encryption and gain a transparent overview of known weaknesses, ssh-audit is the essential auditing tool.

Paperless-NGX Setup: Installation, Security, and NGINX Integration

When I read about paperless-ngx, I was immediately drawn to the idea of having all my documents indexed (via OCR) and centrally stored. With a proper tagging system, exporting my documents for my annual tax declaration should only take seconds.

Bogon Defense: Integrating Dynamic IP Blacklists into Suricata’s Reputation System

Bogon networks are IP address ranges that should never appear on the public internet, as they are either reserved or unassigned. Blocking these ranges is a fundamental and highly effective security measure. While this can be done with simple firewall rules, integrating the blocklist directly into the Suricata IP Reputation system is far more performant.

Suricata AF-Packet: Resolving VirtIO Non-Functionality via Checksum Offload Disablement

This article documents a two-part process: successfully upgrading Suricata to version 7 on Debian Bookworm and solving a critical stability issue required to run the AF-Packet IPS mode with high-performance VirtIO NICs in a virtual machine. Without this specific configuration, the IPS failed to function.

Suricata Alert Analysis: Tuning Rules and Promoting Detection to Prevention

This is a follow-up to my last post in which I set up Suricata as an IPS. This article demonstrates how to effectively work with the Suricata engine—specifically, how I analyze its log output, silence unnecessary alerts, and promote specific detection rules to prevention rules.