Introduction Some time ago I wrote about DNS privacy, why it’s important and how to ensure noone is snooping on your DNS traffic and protect yourself using techniques such DNS over HTTPS and DNS over TLS. To visualize the impact of non-secured DNS traffic, I setup a small monitoring environment using OpenWRT, Prometheus and Grafana. Getting this setup to work on a single core router with 2MB storage was more difficult than expected…
Introduction In the previous post I shared most of the services I have setup at my home lab. Managing all of them is good fun but an issue that emerged with having so many services is visibility - how can a user without any context find out what services I provide? In this blog post I’m going to share my experience of building a chatbot that helps discovering my services. I went a bit deeper and made the implementation platform-agnostic meaning that with a simple yaml config you can run the chat bot with your user-defined dialogs.
Introduction In my previous post I shared most of the services I am running at home. In this post I will share the way they are setup, including code sources, some of the challenges I met and how I solved them. Enjoy :) Problem statement Design a system that is: easily extensible (easy to add new services) scalable (can handle increase in usage) highly available (where the number of single point of failures is close to 0) easily maintainable (a single person can support it without dedicating a lot of time) moderately secure (having the ability to easily control who can talk to who) reliable (being able to trust it to properly function and store data) The system must allow for easy disaster recovery with minimal downtime and recovery effort, ideally with no data loss.
Introduction My home lab setup has changed a lot since my last post in 2018. Now it’s 2021 and hype dictionary has change significantly. I’ve spent the last year or so adopting the cloud-first mindset and my infrastructure has evolved. This will be a 2 part series where I’ll showcase my home lab services and some of the interesting challenges I faced while building them. In this post I’ll list all the applications I am currently running and what’s their use case and in the second part I will go into detail of how I built them and some of the more interesting challenges I faced during this endeavour.
Introduction SSH is a ubiquitous protocol for managing remote machines securely. Most of the time one would need just shell access to a remote machine to run commands, however, SSH allows for so much more. One of the interesting features is SSH forwarding - you can forward ports, unix sockets, X11 sessions and other interesting stuff. All of this is fine until you start sharing the ssh server host with other people.
Introduction ARP spoofing is a rather nasty network attack which is not very popular because the attacker needs to be on the same LAN as the victim. This is impractical in most cases, however, if that happens to be the case, a malicious user can easily perform attacks such as Man-In-The-Middled(MitM) and/or Denied of Service(DoS). Recently I have been working on creating a attack-defense style CTF environment and ARP spoofing in the challenge network is definitely a concern.
Introduction This post is mainly about me sharing some very useful resources and bringing light onto the cool idea behind DNS-over-HTTPS (aka. DoH). I’ll also share a simple setup on how to run your own DoH server to hide your DNS lookups from spying eyes. What is DNS-over-HTTPS and why do I need it? As you know, DNS is a rather simple protocol, used for resolving domain names to IP addresses.
Introduction Authentication is hard. Application-level authentication is even tougher and most of the time, when prototyping something, people (unfortunately) don’t think about security and leave wide-open apps listening on the internet. A simple solution to that could be to use the production web server as an authentication entity that decides whether or not you are allowed to view the upstream application. Both apache and nginx support basic authentication which is essentially a header that your client sends with each request that has your username and password for the system.
Introduction Happy 2020 chaps! It’s January again, and it’s exam time for me, which means procrastination. And what better way to procrastinate than exploring something awesome like BTRFS snapshots? In this blog post I’ll share why I migrated from LVM + EXT4 to BTRFS and the benefits I found. I’ll go briefly through my experience with BTRFS and I’ll also share a tool I found recently - Snapper - which makes snapshotting even easier so let’s get started!
Introduction Recently I replaced my ancient laptop with a new, slightly better one. People associate changing workstations with OS reinstall, setting up everything from scratch etc. I’d rather put my old disk in my new machine and continue as is. However, due to the age of my old laptop, I had formatted the disk with a Master Boot Record (MBR) and used Legacy Boot mode, which turned out, is not supported on new DELL laptops.