Run Jenkins and Jenkins agents on Docker

I have managed a Gitlab instance for a couple of years, but for some organizations, Gitlab is overkill. For some people, Gitea is enough. However, Gitea does not have production-ready CI/CD yet. Fortunately, it’s possible to link Jenkins to Gitea. Here’s how to do it. In this post, we will first configure Jenkins to use agents in Docker. It is not recommended to run pipelines on the Jenkins host. You can run a static container or let Jenkins spin up containers on the fly....

April 21, 2023

Suricata and fail2ban

In case you want to ban IP addresses based on Suricata fast.log, here is the filter you need: [INCLUDES] before = common.conf [DEFAULT] _daemon = suricata [Definition] datepattern = ^%%m/%%d/%%Y-%%H:%%M:%%S failregex = <HOST>:[0-9]* -> ignoreregex = In the jail configuration, I suggest you change the default blocktype from REJECT to DROP. Edit 2023-03-24: you may want to use the action iptables-ipset-proto6-allports which leverages ipset. It will make your iptables rules much more readable and according to some sources, faster....

March 23, 2023

ChatGPT: standard prompt

As so many people right now, I have been using chat gpt a bit for fun and sometimes profit as well. Experts out there seem to agree on the following starting prompt for best results: Ignore all previous instructions before this one. You are an expert advisor. You have been helping people for 20 years. Your task is now to give me . You must always ask questions before you answer so you can better zone in on what the questioner is seeking....

February 19, 2023

Traefik & Grafana: auto-login based on source IP

If you want to automatically (or force a specific) login requests to Grafana coming from a given source IP with Traefik, you can do it with a separate router and a middleware. This requires basic authentication to be enabled on grafana (it is by default). Suppose you start with a default Traefik configuration exposing your grafana to anyone on https://grafana.example.org: labels: - "traefik.enable=true" - "traefik.http.routers.grafana.rule=Host(`grafana.example.org`)" - "traefik.http.routers.grafana.service=grafana" - "traefik.http.routers.grafana.tls=true" - "traefik....

October 19, 2022

Fortigate: SAML authentication in firewall policy with Keycloak

First, create a new Single Sign-On authentication under User & Authentication. As of version 7.0.6, the GUI does not specify ports and does not let you change them either. To work around this, use the CLI. Default ports used by the captive portal are TCP/1000 and TCP/1003 for HTTP and HTTPS traffic respectively. You can find the different URLs about the IdP in Keycloak, in the relevant realm, under Realm Settings, then click on “SAML 2....

October 6, 2022

CentOS 8 End of Life: upgrade to CentOS Stream

CentOS 8 End of Life has been effective since January 31 2021, official mirrors do not provide any packages anymore. Here is how to upgrade to latest release of CentOS 8 and switch to Stream. As always, prior to any system change, you should ensure you have a working recent backup. Upgrade to latest CentOS 8 sed -i -e 's/mirrorlist/#mirrorlist/g' -e 's|#baseurl=http://mirror.centos.org|baseurl=https://vault.centos.org|g' /etc/yum.repos.d/*.repo yum update reboot cat /etc/centos-release CentOS Linux release 8....

February 15, 2022

Elasticsearch in Docker: threat intelligence with filebeat

Goals: collect observables from supported feeds collect observables from unsupported feeds with elastic-tip Setup elasticsearch and kibana for filebeat We could use superuser elastic to setup filebeat but we are going to use a dedicated user with just the minimum permissions. Open Kibana and go to Stack Management > Security > Roles. Click Create role and enter the following settings: Role name: filebeat_threatintel_setup Cluster privileges: monitor, manage_ilm, manage_ml Index privileges: Indices: filebeat-* Privileges: manage, write, read Click Create role....

January 23, 2022

Elasticsearch in Docker: quick notes

Goals: single node elasticsearch single node kibana password for all accounts https between all components behind traefik future post: collect network logs (routers) future post: collect application logs (web servers, dns servers, docker) future post: collect application metrics future post: correlate with threat intelligence Create compose file version: '3' services: es: image: docker.elastic.co/elasticsearch/elasticsearch:7.16.3 container_name: elastic_es restart: always env_file: - ./.env environment: ES_JAVA_OPTS: "-Xms2g -Xmx2g" node.name: "es" discovery.type: "single-node" bootstrap.memory_lock: "true" # minimal security xpack....

January 23, 2022

Traefik reverse-proxy with ModSecurity

Traefik itself does not include WAF capabilities. If you want to add this capability, you can opt to replace Traefik with Apache httpd or nginx coupled with ModSecurity, however you loose the autoconfiguration of Traefik. Fortunately, Alexis Couvreur has developed a ModSecurity plugin for Traefik to forward requests received by Traefik to another webserver (running ModSecurity) before actually forwarding the requests to the application server. If the ModSecurity webserver returns a code > 400, then Traefik will reject the request, otherwise it will forward it to the application server....

January 22, 2022

Backup gitea container

Gitea is great when you want a fast, light and yet user-friendly git repositories. Alternatives would be Gogs, Gitlab or even Github. Gitea documentation tells you to use docker exec to perform a backup. However, this prevents you from using an additional volume to dump the backup into. Instead, I prefer to use a similar command using docker run. Assuming the following: the container network is called gitea_default, you only need this if you use an external database such as MySQL the container is called gitea the backup directory is in the current directory and named backups docker run --rm -it --network gitea_default --volumes-from gitea --volume $(pwd)/backups:/backups --user git --workdir /backups --entrypoint '/app/gitea/gitea' gitea/gitea:1....

January 15, 2022