February 28, 2022

Blog

When I started doing this blog, I’m not sure exactly what I wanted it to be. Some of my first posts were simply papers I had written for school I thought were cool. There have been few technically explict posts (with configs, tutorials, etc) based on things I had done myself, as most of the posts are just summaries of things I have done or are working on. I supposed that’s because I don’t have many peers who would be interested and I am not involved in any tech groups.

February 28, 2022

Tired of Docker?

The Docker deployment I am using is looking more promising, especially for web front ends. The Let’s encrypt wildcard is easy to use, so using the single wildcard with haproxy makes for a compelling single moving part. I suppose a clustered deploy would be useful, to prevent downtime with the single load balancer, but that’s okay for my size.

Next, I want to get some NIPS or perhaps WAF in place behind the SSL balancer, to keep that honest, before opening up the firewall. As I’m typing that, doing some more firewall rules on the docker host to prevent action when comprimised, but that’s another kettle of fish.

February 19, 2022

More Docker

At work, there’s a push towards using K8s. I’ve setup a test K8s, I’ve run some docker, but I’m no expert. As I mess with all that tech, I’m starting to get behind it as a concept and want to use it in a meaningful way, and get away from “my apt packages and debian servers work fine thanks.”

Some of the services I run at home are now in containers. I’ve set up a haproxy server to act as a load balancer entry point, complete with SSL. This is funky, as in the backend network, everything is exposed (and some Docker containers expect the security to be on the host, implictly trusting traffic), but also means I need a wildcard cert. Will need to read up on Lets Encrypt to see how that is this days.

February 6, 2022

Hashing Machines

Imagination sparked to run a GPU accelerated VM for hash cracking with hashcat. Having run it with CPUs, before, I know how to do that part, but I needed to get a GPU involved. I did this on my Fedora desktop, which had no problems with the drivers. But when I went to use a dedicated VM with PCI passthrough (something else I had just started doing with a fiber card for my router), I got stuck. I figured out how to do it, so I have a quick write up to share.

February 4, 2022

Goodbye Opnsense

I went through a LOT of changes lately on my router system. I wanted to create a VM for it and passthrough a PCIE card, but combined with a fan failure and I only just got it finished. During that time, I had to buy new 10GB fiber cards (no drivers for cheap old ones), then had to get a new CPU for IOMMU groups, and then a new fan. I fought with two clean Opnsense installs, trying to get VLAN tagging working on a Mikrotik SFP+ port, but it was not working correctly. I decieded to try PFsense instead, maybe the kernel had some differnet modules, and while it didn’t work initally, I did get the second SFP+ port working on the Mikrotik, so maybe Opnsense would have worked after all. By then though, I was too far into my build and had to to get it all working, so here I am on PFsense.

January 29, 2022

Ethical Starts

Got serious about the CEH. Got a No Starch Press Ethical Hacking book which I am now working through, as I want to feel confident on hard skills in addition to the theory of the CEH. Setting up my “weapons lab” vlan proved more difficult than it needed to be with VLAN tagging on Linux bridges on Mikrotiks. For anyone who reads this, I had to set the guests in KVM to use macvtap (which I never use, as I want the host to talk to the guests) instead of bridge mode. Likely something to do with the MAC addresses, but didn’t read too far into it once I saw the right traffic.

January 28, 2022

RouterOS for Switches

In my home lab, I have had Mikrotik gear for a long time. It’s cheap, very adaptable, and could almost be confused for Linux. My CRS226 used to server as my main router, but after moving to OPNSense, it’s been regulated to switch duties. As a switch, its something that takes getting used to for people used to Cisco-like gear.

Vlan tagging is difficult to get at first, as the nomenclature is very different, using ingress and egree vlan tags instead of native vlans and trunks. They also are configured in groups of the same config, instead of defining config per port. Its just something so different from Linux and Cisco that its a little unappealing. I would love to get some Linux switches, but the open firmware and whitebox world is very expensive second hand, and there isn’t a quick and easy start. The projects have seemed to have totally changed hands and what is in vogue, but hopefully we’ll see that change soon. If I’m wrong, please let me know!

January 16, 2022

Oauth Progress

Made progress with oauth2-proxy by using Okta instead of keycloak, which was likely a partial source of much trouble, although I will backport some of my config in order to see what the issue is.

Some observations were made using from using this though: what to do with the headers or cookie for legacy apps? Should the cookie be made as minimal as possible with the headers as stripped as possible, or should some work be done to work with whatever authentication method the app uses? SSO is the end goal, so it is completely desireable to get that working throughout, but that means learning all about web auth. Oh well, that’s something to add to the CV!

January 11, 2022

Wargame Militias

Working on the wargame to use for the war between Cascadia and the IRC. I want to use Fistful of Tows, but figure I should try using some other system before that, to a) not need to buy a $75 book and b) not start a real war in the world immediately. So for now, we are going to simulate schirmishes that take place between militias on the border, using the AK47 Republic ruleset.

January 10, 2022

Fighting OAUTH

Spent the whole day today working on getting a working solution going for OAUTH2 with Keycloak today. Started with trying to get it with oauth2-proxy, which I got no results from. Both portions were in Docker containers, but I just could not what seemed to be cookies working fully. Then with vouch-proxy, I get stuck in a redirection loop with a JWT error.

Long story short, I have a few options. Ask for help, or move on from this idea. I view getting something like this as a huge win at home at work, as SSO is something that organisations just need now. There’s few things that feel boiler-plate and drop in enough to get going easily, which is a shame. Although maybe keycloak is just worse than lemonldap-ng.