I get 5 free personal Ubuntu Pro machines with my code:
sudo pro attach C1371zMzQm1trtCrXBHszisfsjVP3k
last check: 8 minutes ago
kernel: 5.15.0-102.112-generic
server check-in: succeeded
kernel state: ✓ kernel series 5.15 is covered by Livepatch
patch state: ✓ no livepatches available for kernel 5.15.0-102.112-generic
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 4c475e9d1ccb4469ada52e123a607c5
http-proxy: “”
https-proxy: “”
no-proxy: “”
remote-server: https://livepatch.canonical.com
ca-certs: “”
check-interval: 60 # minutes
log-level: WARNING
disable-signature-verification: false
tls-patch-download: false
Monitoring is setup with UptimeRobot
Status page is here
I am using nft-blackhole.py to block countries from accessing my server. The configuration file is located in /etc/nft-blackhole.conf
The country IP blocks come from here
The nft-blackhole.py project is here
I recreated this defense using nftables and the synproxy syntax. At the end of my input chain, before it would have went to policy drop, I added:
tcp flags syn jump SYNPROXY
Then I added a new SYNPROXY chain that does the following:
chain SYNPROXY {
synproxy mss 1460 wscale 7 sack-perm timestamp
tcp flags syn,ack drop
}
I have path watchers setup in /etc/systemd/system/publish-bx.path
[Unit]
Description=Monitor /home/jgowdy/bx.ee for changes
[Path]
PathModified=/home/jgowdy/bx.ee
PathModified=/home/jgowdy/bx.ee/_blog
PathModified=/home/jgowdy/bx.ee/assets
PathModified=/home/jgowdy/bx.ee/_includes
PathModified=/home/jgowdy/bx.ee/_layouts
PathModified=/home/jgowdy/bx.ee/_plugins
PathModified=/home/jgowdy/bx.ee/secret
[Install]
WantedBy=multi-user.target
And a service that runs the build script in /etc/systemd/system/publish-bx.service
[Unit]
Description=Jekyll build and deploy for bx.ee
[Service]
ExecStart=/usr/local/bin/publish-bx
User=root
Group=root
I have my standard restic backup scripts setup in /root/backup/
I have a nightly timer setup to run /root/backup/backup
It’s currently only configured for Backblaze B2
It’s setup to backup /etc /usr/local/etc /home/jgowdy and /root
I have etckeeper setup to track changes to /etc
There is a .gitignore file in /etc to keep sensitive files from being checked into git.
The private etckeeper repo is here
I was thinking about sshguard or denyhosts as a fail2ban alternative, but I need to figure out what will work with tinysshd’s log entries
NAT for the virtual machines is powered by virbr0 / 192.168.122.0/24
# This provides the forwarding for libvirt virtual machines (virbr0 / 192.168.122.0/24)
chain FORWARD {
type filter hook forward priority 0;
ip daddr 192.168.122.0/24 oif "virbr0" ct state established,related counter accept
oif "virbr0" iif "virbr0" counter accept
ip saddr 192.168.122.0/24 iif "virbr0" counter accept
iif "virbr0" counter reject
oif "virbr0" counter reject
}
chain OUTPUT {
type filter hook output priority 0;
# Disallow privileged interfaces for azain
#oifname "tailscale0" skuid 1004 counter drop
#oifname "virbr0" skuid 1004 counter drop
# Disallow privileged interfaces for mdey
#oifname "tailscale0" skuid 1006 counter drop
#oifname "virbr0" skuid 1006 counter drop
# Disallow privileged interfaces for mpronchick
#oifname "tailscale0" skuid 1007 counter drop
#oifname "virbr0" skuid 1007 counter drop
# Disallow privileged interfaces for krasmussen
#oifname "tailscale0" skuid 1008 counter drop
#oifname "virbr0" skuid 1008 counter drop
oif "virbr0" counter accept
}
# This provides the NAT for libvirt virtual machines (virbr0 / 192.168.122.0/24)
chain POSTROUTING {
type nat hook postrouting priority -100;
ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter return
ip saddr 192.168.122.0/24 ip daddr 225.255.255.255 counter return
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
}
Input chain:
iif "virbr0" tcp dport { 53, 67 } counter accept
iif "virbr0" udp dport { 53, 67 } counter accept
iifname "vnet0" counter accept
iifname "tap0" counter accept
This program will verify compliance with the CIS Benchmarks: sudo usg audit cis_level1_server