linux kvm resize qcow2 Image

Here a very short howto

virsh shutdown kvm11111
qemu-img resize hd.qcow2 +10G
fdisk /dev/vda

Command (m for help): p

Command (m for help): d

Command (m for help): n

Do you want to remove the signature? [Y]es/[N]o: N

Command (m for help): w

boot a rescue image then run

e2fsck -f /dev/vda1

resize2fs /dev/vda1

Have fun!

Apache mod_qos WordPress bruteforce mitigation

Hi, WordPress bruteforce attacks produce high cpu load
here some simple examples to get rid of that issue with mod_qos

Install apache module and enable it

apt install libapache2-mod-qos
a2enmod unique_id qos setenvif

For global mitigation, edit your apache module config

/etc/apache2/mods-enabled/qos.conf
<IfModule qos_module>
  # minimum request rate (bytes/sec at request reading):
  #QS_SrvRequestRate                                 120

  # limits the connections for this virtual host:
  #QS_SrvMaxConn                                     100

  # allows keep-alive support till the server reaches 600 connections:
  #QS_SrvMaxConnClose                                600

  # allows max 50 connections from a single ip address:
  #QS_SrvMaxConnPerIP                                 50

  # allows a single IP addess to access the URI /wp-login.php not more
  # than 10 times within 2 minutes:
  SetEnvIf Request_URI ^/xmlrpc.php LimitWpXmlRpc
  QS_ClientEventLimitCount 10 120 LimitWpXmlRpc
  SetEnvIf Request_URI ^/wp-login.php LimitWpLogin
  QS_ClientEventLimitCount 10 120 LimitWpLogin
</IfModule>

Per Virtualhost mitigation apache config

<IfModule qos_module>
  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/wp-login.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/wp-login.php).*$" 1

  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/xmlrpc.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/xmlrpc.php).*$" 1
</IfModule>

Have fun!

IPSec Road Warrior Strongswan 5.8 IKEv2 swanctl Mikrotik RSA Auth

Hi,
here my Strongswan road-warrior config using Archlinux

/etc/swanctl/conf.d/somename.conf

connections {	
	somename {
		local_addrs  = %any
		remote_addrs = gw.domain.tld
		vips = %any
		version = 2
		proposals = aes256-sha256-modp2048
		dpd_timeout=120s
		rekey_time=1d
      
		local {
			auth = pubkey
			certs = cert_export_work_crt.pem
			id = "work@gw.domain.tld"
		}
		remote {
			auth = pubkey
			id = "CN=gw.domain.tld"
		}
		children {
			somename {
				#start_action = start
				remote_ts = 192.168.223.0/24
				esp_proposals = aes256-sha256-modp2048
				dpd_action=start
				life_time=8h
			}
		}
	}
}

secrets {
	rsa-somename {
		file = cert_export_work_private.pem
	}
}

Save your private key to

/etc/swanctl/private/cert_export_work_private.pem

Save your certificate to

/etc/swanctl/x509/cert_export_work_crt.pem

Save your ca-certificate to

/etc/swanctl/x509ca/cert_export_ca.pem

Start and stop your vpn connection via

systemctl restart strongswan

swanctl --initiate --child somename

swanctl --terminate --child somename

Have fun!

install kimai2 into subdirectory serve via nginx and php-fpm

Hi, here the config section of nginx

location /kimai2 {
index index.php;
alias /srv/http/kimai2/public;
try_files $uri $uri/ @kimai2;
location ~ .php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location @kimai2 {
rewrite /kimai2/(.*)$ /kimai2/index.php?/$1 last;
}
location /build {
alias /srv/http/kimai2/public/build;
}

Have fun!

ubuntu 18.04 netplan source routing

Hi

Here a source routing example if you have multiple networks connected on your linux host and want every ip address reachable on the internet.

network:
   version: 2
   renderer: networkd
   ethernets:
     ens3:
       dhcp4: no
       dhcp6: no
       accept-ra: no
       addresses: [81.94.xx.xx/28, "2a01:xxx:xxxx:xx::xx/64"]
       gateway4: 81.94.xx.xx
       gateway6: 2a01:xxx:xxxx:xx::x
       nameservers:
         addresses: [1.0.0.1]
     ens6:
       dhcp4: no
       dhcp6: no
       accept-ra: no
       addresses: [195.16.xxx.111/25]
       routes:
         - to: 195.16.xxx.x/25
           via: 195.16.xxx.gw
           table: 102
         - to: 0.0.0.0/0
           via: 195.16.xxx.gw
           table: 102
       routing-policy:
         - from: 195.16.xxx.111
           table: 102
         - to: 195.16.xxx.111
           table: 102

Have fun!