This article documents a reliable update script for the Paperless-NGX stack, which minimizes the risk of container failures during automated maintenance. The focus here is not just on simple automation, but on ensuring the integrity of the process—especially handling logs and exit codes within complex Bash pipelines.
Continue reading Docker Update Automation: Advanced Bash Pipelining. paperless-ngxTag: Observability
Automating Security Patching: Debian Unattended Upgrades
If you follow current IT security vulnerabilities, you’ll agree that keeping systems up to date is critical. Unattended Upgrades for Debian/Ubuntu offers a simple yet powerful way to automate this process, securing your infrastructure with minimal manual intervention.
Continue reading Automating Security Patching: Debian Unattended UpgradesAutomating IPS: Real-Time Suricata Rule Generation via Fail2ban Hook
In my last posts, I established a central syslog hub feeding Fail2ban and demonstrated Suricata as an intrusion prevention system (IPS). This final piece connects the two: feeding Suricata with the ban results from Fail2ban by creating a dynamic, external rule file.
Continue reading Automating IPS: Real-Time Suricata Rule Generation via Fail2ban HookSuricata Alert Analysis: Tuning Rules and Promoting Detection to Prevention
This is a follow-up to my last post in which I set up Suricata as an IPS. This article demonstrates how to effectively work with the Suricata engine—specifically, how I analyze its log output, silence unnecessary alerts, and promote specific detection rules to prevention rules.
Continue reading Suricata Alert Analysis: Tuning Rules and Promoting Detection to PreventionAutomated Defense: Building a Central Log Hub for Fail2ban and External Firewall Integration
A very light-weight and efficient approach for consolidating logs centrally is by using rsyslog. My virtual machines all use rsyslog to forward their logs to a dedicated internal virtual machine, which acts as the central log hub. A fail2ban instance on this hub checks all incoming logs and sends a block command to an external firewall—a process helpful for automated security.
Continue reading Automated Defense: Building a Central Log Hub for Fail2ban and External Firewall IntegrationZFS Data Migration: Encrypting Existing Volumes with zfs send and zfs recv
Encrypting previously unencrypted data, such as a legacy ZFS pool, requires a reliable migration strategy. The most robust way to achieve this is by using the powerful ZFS data stream mechanism: zfs send and zfs recv.
The core procedure is simple: create a snapshot, transfer this snapshot, and receive it at a new, encrypted destination.
Continue reading ZFS Data Migration: Encrypting Existing Volumes with zfs send and zfs recvNGINX Hardening: Achieving A+ Security & Performance
Improving your web security and performance starts with a solid foundation. I regularly use external online generators and verification tools to ensure my NGINX configuration meets the highest standards. This guide details my steps to achieve an A+ security rating and optimal performance settings.
Continue reading NGINX Hardening: Achieving A+ Security & Performance