Linux

By default, resources available to containers are not limited. However, sometimes, you want to make sure a container is not going to use too much processing power or memory. To achieve such a thing, in the docker-compose.yml file, add the following sections to the service you want to restrict: deploy: resources: limits: cpus: "1.0" memory: 100M memswap_limit: 100M This will effectively limit the container to use at most one CPU and 100 megabytes of memory. ...

If you cannot upgrade your OpenSSH client and/or server to fix CVE-2023-48795, also known as the Terrapin attack, the way to mitigate it is to disable the vulnerable ciphers as Red Hat explains very well. If you have a recent OpenSSH version, you can disable the the ciphers by adding “-” before them in the Ciphers and MACs options. This works for both the ssh client config (/etc/ssh/ssh_config by default) and the ssh server config (/etc/ssh/sshd_config). ...

I’m a personal user of Contabo’s cloud services, and I’ve been delighted with them. They offer a wide range of services to choose from, including VPS, dedicated servers, and cloud storage. I’m currently using a VPS to host my personal website and email, and I have also used their Storage VPS and object storage in the past. I have had no issue with my VPS over the years. I’ve also been impressed with Contabo’s customer support. They’ve always been quick to respond to my questions. ...

When you generate a file using ComfyUI, metadata are added to the image automatically. Amongst the metadata, there is the full workflow including the prompt. If you want to remove those data, you can use ImageMagick convert with the --strip option. convert image.png --strip image_strip.png If you want to alter the original file, use mogrify: mogrify --strip image.png

I have managed a Gitlab instance for a couple of years, but for some organizations, Gitlab is overkill. For some people, Gitea is enough. However, Gitea does not have production-ready CI/CD yet. Fortunately, it’s possible to link Jenkins to Gitea. Here’s how to do it. In this post, we will first configure Jenkins to use agents in Docker. It is not recommended to run pipelines on the Jenkins host. You can run a static container or let Jenkins spin up containers on the fly. We will do both. We will connect to the containers using an SSH key. ...

In case you want to ban IP addresses based on Suricata fast.log, here is the filter you need: [INCLUDES] before = common.conf [DEFAULT] _daemon = suricata [Definition] datepattern = ^%%m/%%d/%%Y-%%H:%%M:%%S failregex = <HOST>:[0-9]* -> ignoreregex = In the jail configuration, I suggest you change the default blocktype from REJECT to DROP. Edit 2023-03-24: you may want to use the action iptables-ipset-proto6-allports which leverages ipset. It will make your iptables rules much more readable and according to some sources, faster. Just edit your jail.conf and replace the default banaction_allports entry with iptables-ipset-proto6-allports , or explicitly mention iptables-ipset-proto6-allports in the jail configuration of suricata, like so: ...

If you want to automatically (or force a specific) login requests to Grafana coming from a given source IP with Traefik, you can do it with a separate router and a middleware. This requires basic authentication to be enabled on grafana (it is by default). Suppose you start with a default Traefik configuration exposing your grafana to anyone on https://grafana.example.org: labels: - "traefik.enable=true" - "traefik.http.routers.grafana.rule=Host(`grafana.example.org`)" - "traefik.http.routers.grafana.service=grafana" - "traefik.http.routers.grafana.tls=true" - "traefik.http.routers.grafana.tls.certresolver=myresolver" - "traefik.http.routers.grafana.entrypoints=websecure" - "traefik.http.services.grafana.loadbalancer.server.port=3000" To force requests coming from the IP 1.1.1.1 to be authenticated as the foobar user, add the following labels after enabling traefik and before the router grafana: ...

CentOS 8 End of Life has been effective since January 31 2021, official mirrors do not provide any packages anymore. Here is how to upgrade to latest release of CentOS 8 and switch to Stream. As always, prior to any system change, you should ensure you have a working recent backup. Upgrade to latest CentOS 8 sed -i -e 's/mirrorlist/#mirrorlist/g' -e 's|#baseurl=http://mirror.centos.org|baseurl=https://vault.centos.org|g' /etc/yum.repos.d/*.repo yum update reboot cat /etc/centos-release CentOS Linux release 8.5.2111 Make sure everything is working as expected. ...

Goals: collect observables from supported feeds collect observables from unsupported feeds with elastic-tip Setup elasticsearch and kibana for filebeat We could use superuser elastic to setup filebeat but we are going to use a dedicated user with just the minimum permissions. Open Kibana and go to Stack Management > Security > Roles. Click Create role and enter the following settings: Role name: filebeat_threatintel_setup Cluster privileges: monitor, manage_ilm, manage_ml Index privileges: Indices: filebeat-* Privileges: manage, write, read Click Create role. ...

Goals: single node elasticsearch single node kibana password for all accounts https between all components behind traefik future post: collect network logs (routers) future post: collect application logs (web servers, dns servers, docker) future post: collect application metrics future post: correlate with threat intelligence Create compose file version: '3' services: es: image: docker.elastic.co/elasticsearch/elasticsearch:7.16.3 container_name: elastic_es restart: always env_file: - ./.env environment: ES_JAVA_OPTS: "-Xms2g -Xmx2g" node.name: "es" discovery.type: "single-node" bootstrap.memory_lock: "true" # minimal security xpack.security.enabled: "true" # no encryption on internode communication xpack.security.transport.ssl.enabled: "false" # https traffic xpack.security.http.ssl.enabled: "true" xpack.security.http.ssl.key: "${CERTS_DIR}/es.key" xpack.security.http.ssl.certificate: "${CERTS_DIR}/es_chain.crt" xpack.security.http.ssl.certificate_authorities: "${CERTS_DIR}/ca.crt" ulimits: memlock: soft: -1 hard: -1 networks: - reverseproxy - default volumes: - data:/usr/share/elasticsearch/data - certs:${CERTS_DIR}:ro labels: - "traefik.enable=true" - "traefik.http.routers.elastic.rule=Host(`elasticsearch.foobar.com`)" - "traefik.http.routers.elastic.service=elastic" - "traefik.http.routers.elastic.tls=true" - "traefik.http.routers.elastic.tls.certresolver=le" - "traefik.http.routers.elastic.entrypoints=websecure" - "traefik.http.services.elastic.loadbalancer.server.port=9200" - "traefik.http.services.elastic.loadbalancer.server.scheme=https" - "traefik.http.services.elastic.loadbalancer.serversTransport=elastic" - "traefik.http.serversTransports.elastic.serverName=es" - "traefik.http.serversTransports.elastic.insecureSkipVerify=true" deploy: resources: limits: cpus: "4.0" memory: 4000M memswap_limit: 4000M kibana: image: docker.elastic.co/kibana/kibana:7.16.3 container_name: elastic_kibana restart: always depends_on: - es env_file: - ./.env - ./.env.kibana environment: - ELASTICSEARCH_URL="https://es:9200" - ELASTICSEARCH_HOSTS=["https://es:9200"] # minimal security: defined in environment files # kibana has to trust elasticsearch certificate - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES="${CERTS_DIR}/ca.crt" # https traffic between other components and kibana - SERVER_SSL_ENABLED=true - SERVER_SSL_KEY=${CERTS_DIR}/kibana.key - SERVER_SSL_CERTIFICATE=${CERTS_DIR}/kibana_chain.crt - SERVER_PUBLICBASEURL=https://kibana.foobar.com networks: - reverseproxy - default volumes: - certs:${CERTS_DIR}:ro labels: - "traefik.enable=true" - "traefik.http.routers.kibana.rule=Host(`kibana.foobar.com`)" - "traefik.http.routers.kibana.service=kibana" - "traefik.http.routers.kibana.tls=true" - "traefik.http.routers.kibana.tls.certresolver=le" - "traefik.http.routers.kibana.entrypoints=websecure" - "traefik.http.services.kibana.loadbalancer.server.port=5601" - "traefik.http.services.kibana.loadbalancer.server.scheme=https" - "traefik.http.services.kibana.loadbalancer.serversTransport=kibana" - "traefik.http.serversTransports.kibana.serverName=kibana" - "traefik.http.serversTransports.kibana.insecureSkipVerify=true" deploy: resources: limits: cpus: "4.0" memory: 4000M memswap_limit: 4000M volumes: data: certs: name: elastic_certs external: true networks: reverseproxy: external: true Create a file named .env with the following content: ...