Here a very short howto
virsh shutdown kvm11111qemu-img resize hd.qcow2 +10Gfdisk /dev/vda
Command (m for help): p
Command (m for help): d
Command (m for help): n
Do you want to remove the signature? [Y]es/[N]o: N
Command (m for help): wboot a rescue image then run
e2fsck -f /dev/vda1
resize2fs /dev/vda1Have fun!
Hi, WordPress bruteforce attacks produce high cpu load
here some simple examples to get rid of that issue with mod_qos
Install apache module and enable it
apt install libapache2-mod-qosa2enmod unique_id qos setenvifFor global mitigation, edit your apache module config
/etc/apache2/mods-enabled/qos.conf<IfModule qos_module>
# minimum request rate (bytes/sec at request reading):
#QS_SrvRequestRate 120
# limits the connections for this virtual host:
#QS_SrvMaxConn 100
# allows keep-alive support till the server reaches 600 connections:
#QS_SrvMaxConnClose 600
# allows max 50 connections from a single ip address:
#QS_SrvMaxConnPerIP 50
# allows a single IP addess to access the URI /wp-login.php not more
# than 10 times within 2 minutes:
SetEnvIf Request_URI ^/xmlrpc.php LimitWpXmlRpc
QS_ClientEventLimitCount 10 120 LimitWpXmlRpc
SetEnvIf Request_URI ^/wp-login.php LimitWpLogin
QS_ClientEventLimitCount 10 120 LimitWpLogin
</IfModule>Per Virtualhost mitigation apache config
<IfModule qos_module>
# limits concurrent requests to the locations:
QS_LocRequestLimitMatch "^(/wp-login.php).*$" 2
# does not allow more than 1 requests/sec:
QS_LocRequestPerSecLimitMatch "^(/wp-login.php).*$" 1
# limits concurrent requests to the locations:
QS_LocRequestLimitMatch "^(/xmlrpc.php).*$" 2
# does not allow more than 1 requests/sec:
QS_LocRequestPerSecLimitMatch "^(/xmlrpc.php).*$" 1
</IfModule>Have fun!
Hi,
here my Strongswan road-warrior config using Archlinux
/etc/swanctl/conf.d/somename.conf
connections {
somename {
local_addrs = %any
remote_addrs = gw.domain.tld
vips = %any
version = 2
proposals = aes256-sha256-modp2048
dpd_timeout=120s
rekey_time=1d
local {
auth = pubkey
certs = cert_export_work_crt.pem
id = "work@gw.domain.tld"
}
remote {
auth = pubkey
id = "CN=gw.domain.tld"
}
children {
somename {
#start_action = start
remote_ts = 192.168.223.0/24
esp_proposals = aes256-sha256-modp2048
dpd_action=start
life_time=8h
}
}
}
}
secrets {
rsa-somename {
file = cert_export_work_private.pem
}
}Save your private key to
/etc/swanctl/private/cert_export_work_private.pemSave your certificate to
/etc/swanctl/x509/cert_export_work_crt.pemSave your ca-certificate to
/etc/swanctl/x509ca/cert_export_ca.pemStart and stop your vpn connection via
systemctl restart strongswan
swanctl --initiate --child somename
swanctl --terminate --child somenameHave fun!
Hi, here the config section of nginx
location /kimai2 {
index index.php;
alias /srv/http/kimai2/public;
try_files $uri $uri/ @kimai2;
location ~ .php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location @kimai2 {
rewrite /kimai2/(.*)$ /kimai2/index.php?/$1 last;
}
location /build {
alias /srv/http/kimai2/public/build;
}
Have fun!
Hi
Here a source routing example if you have multiple networks connected on your linux host and want every ip address reachable on the internet.
network:
version: 2
renderer: networkd
ethernets:
ens3:
dhcp4: no
dhcp6: no
accept-ra: no
addresses: [81.94.xx.xx/28, "2a01:xxx:xxxx:xx::xx/64"]
gateway4: 81.94.xx.xx
gateway6: 2a01:xxx:xxxx:xx::x
nameservers:
addresses: [1.0.0.1]
ens6:
dhcp4: no
dhcp6: no
accept-ra: no
addresses: [195.16.xxx.111/25]
routes:
- to: 195.16.xxx.x/25
via: 195.16.xxx.gw
table: 102
- to: 0.0.0.0/0
via: 195.16.xxx.gw
table: 102
routing-policy:
- from: 195.16.xxx.111
table: 102
- to: 195.16.xxx.111
table: 102
Have fun!