Blocking pizzaseo querying clients

While I was updating some settings with my bind server on Ubuntu 20, I noticed a lot of queries for “pizzaseo.com”, which appears to be some kind of marketing company trying to scrape for data. On reading out in forums about it, apparently they’re looking for vulnerable pi-hole servers that are exposed to the internet. … Read more

Site-to-Site VPN Firewall Rules

When adjusting settings for a site-to-site VPN, don’t forget to update the firewall rules. Make sure the appropriate subnets for your networks are covered. In /etc/ufw/before.rules: # OpenVPN Rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to ens32 -A POSTROUTING -s 192.168.52.0/24 -o ens32 -j MASQUERADE -A POSTROUTING -s 172.22.1.0/24 -o ens32 … Read more

Getting DKIM working

I used these two sites to figure out how to get DKIM working: https://wiki.debian.org/opendkim https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf Install opendkim and opendkim-tools cd /etc/dkimkeys opendkim-genkey -t -s mail -d technomancer.com Edit /etc/opendkim.conf: Domain technomancer.com KeyFile /etc/dkimkeys/mail.private Selector mail Socket local:/var/spool/postfix/opendkim/opendkim.sock # Specify the list of keys KeyTable file:/etc/dkimkeys/keytable # Match keys and domains. To use regular expressions in … Read more

Setting up DNSSEC in bind9

Install the bind9 packages. Make sure it’s enabled in named.conf.options: dnssec-validation auto; dnssec-lookaside auto; # Need to look up what this one is Generate the keys (pick an appropriate algorithm; today (22 Mar 2021),ECDSAP384SHA384 seems to be the “ideal”): dnssec-keygen -a ECDSAP384SHA384 -b 4096 -n ZONE technomancer.comdnssec-keygen -f KSK -a ECDSAP384SHA384 -b 4096 -n ZONE … Read more

Setting up freeradius on Ubuntu

Add client to /etc/freeradius/3.0/clients.conf client someclient.tek { ipaddr=172.22.42.4 secret=xxxxxxxxxxxxxxxxx shortname=internal-network login       = !root } Set daemon to run with group shadow in /etc/freeradius/3.0/radiusd.conf Uncomment unix type in /etc/freeradius/3.0/sites-available/default to enable reading of passwd/shadow information.