Linux on Holmq.dk

Caddy + GeoIP + Fail2Ban (Pushover) — Setup Notes

Tue, 27 Jan 2026 13:50:37 +0100

This document describes:

Building a custom Caddy container image with the GeoIP plugin (so Caddy can enrich access logs with country code/name). - Configuring Caddy JSON access logs to include GeoIP fields. - Setting up Fail2Ban to parse Caddy logs and send Pushover notifications with GeoIP info via mmdblookup. - Optional “SOC dashboard” style fields (severity, jail type, ban time, until).

Anycast DNS PfSense

Mon, 15 Apr 2024 11:33:04 +0200

Ubuntu Anycast DNS Server with BGP announcement to pfSense

Update Tailscale on GLiNet AXT-1800

Sun, 10 Mar 2024 11:35:45 +0100

How to upgrade tailscale on GL-iNet AXT-1800

IPtables

Tue, 06 Feb 2024 10:08:29 +0100

## Set default policies
iptables -P INPUT DROP
iptables -P FOWARD DROP
iptables -P OUTPUT DROP

## Allow traffic to and from the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

## Allow outbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

## Allow others to ping this machine
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

## Ratelimit incomming SSH connections
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptabes -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT

## Save rules on Debian/Ubuntu
apt install iptables-persistent
netfilter-persistent save

## Save rules on RHEL
chkconfig iptables on
service iptables save

General network settings

## Drop ICMP echo-request messages. Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

## Drop source routed packets. Source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network.
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv6.conf.all.accept_source_route=0

## Enable TCP SYN cookie protection from SYN floods. Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake
sysctl -w net.ipv4.tcp_syncookie=1

## Don't accept ICMP redirect messages. Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
 
## Don't send ICMP redirect messages.
syctl -w net.ipv4.conf.all.send_redirects=0

## Enable Reverse Path Filtering. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)
sysctl -w net.ipv4.conf.all.rp_filter=1
 
## Log packets with wrong source addresses
sysctl -w net.ipv4.conf.interface.log_martians=1

Minisign

Wed, 18 Oct 2023 11:59:29 +0200

Sign and verify signatues with minisign

Tips and trick using curl

Fri, 18 Aug 2023 13:01:44 +0200

Download files

curl -O https://test.example.com/madplan.json
curl -O -L http://test.example.com/madplan.json # Follows links. In this example the http request will be redirected to https
curl -o test.json https://test.example.com/test.json # Saves the file as test.json

Send host header

Usefull when the server is hosting multiple domains

Speedtest using curl

Fri, 14 Jul 2023 11:48:28 +0200

Run a speedtest using CLI

SSH Tips and Tricks

Fri, 03 Jun 2022 09:27:52 +0200

This is just a brief overview of the options I’m using every now and then.

SSH Agent Forwarding

Thu, 02 Jun 2022 13:29:35 +0200

A simple way to connect to a server or pc without having the private key on the jump server

Linux VRRP

Fri, 25 Mar 2022 11:58:50 +0100

Here’s some configuration examples from a VRRP(Virtual Router Redundancy Protocol) experiment i did. This is used to create a high available DNS resolver with Unbound . I used RHEL 8 as my distribution of choice, but I’m sure this can be used on any RHEL deviate or linux distribution

Downgrade Centos 8 Stream to Centos 8

Mon, 13 Dec 2021 10:17:58 +0100

I have a few CentOS machines that needs to be converted to RHEL and that can be done using the convert2rhel script. However I’m running CentOS 8 Stream, which can’t be converted to RHEL 8, so I have to do a dowgrade to CentOS 8 first.