ipv4 ipv6 mtu mss size

In this case we have an gre tunnel inside an ikev2 tunnel inside an pppoe tunnel :-)


Get ipv4 mss with Linux host


Size 1339 error

ping -4 -n -c 2 -M do -s 1339 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1339(1367) bytes of data.
ping: local error: Message too long, mtu=1366
ping: local error: Message too long, mtu=1366

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1027ms

Size 1338 good

ping -4 -n -c 2 -M do -s 1338 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1338(1366) bytes of data.
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.926/31.966/32.006/0.040 ms

How to calculate ipv4 mss

ICMPv4 header size ([IPv4 + ICMP] [20 +8]) = 28
MTU ([Size + ICMPv4] [1338 + 28]) = 1366
IPv4TCP header size ([IPv4 + TCP] [20 +20]) = 40
TCP-MSS ([MTU – IPv4TCP] [1366 – 40]) = 1326


Mikrotik ipv4 tcp-mss clamping example

/ip firewall mangle
add action=change-mss chain=forward new-mss=1326 passthrough=yes protocol=tcp src-address=xxx.xxx.xxx.xxx tcp-flags=syn tcp-mss=1327-65535
add action=change-mss chain=forward dst-address=xxx.xxx.xxx.xxx new-mss=1326 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1327-65535


Get ipv6 mss with Linux host


Size 1319 error

ping -6 -n -c 2 -M do -s 1319 www.google.com

PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1319 data bytes

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1004ms

Size 1318 good

ping -6 -n -c 2 -M do -s 1318 www.google.com
PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1318 data bytes
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.501/31.733/31.966/0.292 ms

How to calculate ipv6 mss

ICMPv6 header size ([IPv6 + ICMP] [40 +8]) = 48
MTU ([Size + ICMPv6] [1318 + 48]) = 1366
IPv6TCP header size ([IPv6 + TCP] [40 +20]) = 60
TCP-MSS ([MTU – IPv6TCP] [1366 – 60]) = 1306


Mikrotik ipv6 tcp-mss clamping example

/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1306 passthrough=yes protocol=tcp src-address=xxx:xxx:xxx:xxx::xxx/120 tcp-flags=syn tcp-mss=1307-65535
add action=change-mss chain=forward dst-address=xxx:xxx:xxx:xxx::xxx/120 new-mss=1306 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1307-65535

Have fun!

linux kvm resize qcow2 Image

Here a very short howto

virsh shutdown kvm11111
qemu-img resize hd.qcow2 +10G
fdisk /dev/vda

Command (m for help): p

Command (m for help): d

Command (m for help): n

Do you want to remove the signature? [Y]es/[N]o: N

Command (m for help): w

boot a rescue image then run

e2fsck -f /dev/vda1

resize2fs /dev/vda1

Have fun!

Apache mod_qos WordPress bruteforce mitigation

Hi, WordPress bruteforce attacks produce high cpu load
here some simple examples to get rid of that issue with mod_qos

Install apache module and enable it

apt install libapache2-mod-qos
a2enmod unique_id qos setenvif

For global mitigation, edit your apache module config

/etc/apache2/mods-enabled/qos.conf
<IfModule qos_module>
  # minimum request rate (bytes/sec at request reading):
  #QS_SrvRequestRate                                 120

  # limits the connections for this virtual host:
  #QS_SrvMaxConn                                     100

  # allows keep-alive support till the server reaches 600 connections:
  #QS_SrvMaxConnClose                                600

  # allows max 50 connections from a single ip address:
  #QS_SrvMaxConnPerIP                                 50

  # allows a single IP addess to access the URI /wp-login.php not more
  # than 10 times within 2 minutes:
  SetEnvIf Request_URI ^/xmlrpc.php LimitWpXmlRpc
  QS_ClientEventLimitCount 10 120 LimitWpXmlRpc
  SetEnvIf Request_URI ^/wp-login.php LimitWpLogin
  QS_ClientEventLimitCount 10 120 LimitWpLogin
</IfModule>

Per Virtualhost mitigation apache config

<IfModule qos_module>
  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/wp-login.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/wp-login.php).*$" 1

  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/xmlrpc.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/xmlrpc.php).*$" 1
</IfModule>

Have fun!

IPSec Road Warrior Strongswan 5.8 IKEv2 swanctl Mikrotik RSA Auth

Hi,
here my Strongswan road-warrior config using Archlinux

/etc/swanctl/conf.d/somename.conf

connections {	
	somename {
		local_addrs  = %any
		remote_addrs = gw.domain.tld
		vips = %any
		version = 2
		proposals = aes256-sha256-modp2048
		dpd_timeout=120s
		rekey_time=1d
      
		local {
			auth = pubkey
			certs = cert_export_work_crt.pem
			id = "work@gw.domain.tld"
		}
		remote {
			auth = pubkey
			id = "CN=gw.domain.tld"
		}
		children {
			somename {
				#start_action = start
				remote_ts = 192.168.223.0/24
				esp_proposals = aes256-sha256-modp2048
				dpd_action=start
				life_time=8h
			}
		}
	}
}

secrets {
	rsa-somename {
		file = cert_export_work_private.pem
	}
}

Save your private key to

/etc/swanctl/private/cert_export_work_private.pem

Save your certificate to

/etc/swanctl/x509/cert_export_work_crt.pem

Save your ca-certificate to

/etc/swanctl/x509ca/cert_export_ca.pem

Start and stop your vpn connection via

systemctl restart strongswan

swanctl --initiate --child somename

swanctl --terminate --child somename

Have fun!

install kimai2 into subdirectory serve via nginx and php-fpm

Hi, here the config section of nginx

location /kimai2 {
index index.php;
alias /srv/http/kimai2/public;
try_files $uri $uri/ @kimai2;
location ~ .php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location @kimai2 {
rewrite /kimai2/(.*)$ /kimai2/index.php?/$1 last;
}
location /build {
alias /srv/http/kimai2/public/build;
}

Have fun!