Keeping your infrastructure isolated and carefully splitting hosts/VMs/interfaces in to the air-gapped security domains is crucial. It is one of the most effective techniques for securing infrastructure against data leaks and remote takeovers.
Why is it so important?
- Eliminates entire classes of cyberattacks: attackers can’t hit what they can’t reach. Ransomware, zero-days, and automated botnet most likely require inbound/outbound connections to work.
- No silent data theft – if malware or a malicious insider tries to steal your data, they can’t call home without Internet access. Data stays inside your walls.
- Simplifies monitoring & forensics - in an offline network, any unexpected connection attempt is an instant red flag (vs. noisy Internet traffic).
- Future-proofs against unknown threats.
- Real Zero Trust (without the complexity).
Local Nginx caching proxy + Harbor
Isolating your infrastructure from the Internet prevents direct access to
external package repositories and container registries. To maintain updates and
deploy containers, you'll need to set up a local caching proxy to serve these
resources internally. While this adds some setup, it ensures your environment
remains secure and fully operational without external connectivity.
Key benefits:
- packages are downloaded only once - once fetched, they're distributed via local network, dramatically speeding up multi-host updates,
- new host deployment (e.g. from templates) becomes instantaneous since all packages are already locally available,
- no tooling changes required - everything works exactly the same way (just standard
apt update && apt upgrade),
- container images are also cached (Docker/Podman/Kubernetes), using Harbor.
It’s not as hard as you think... Let's go! 🧑🏭
Read more
Introduction
Throughout my many years in business, I have constantly encountered servers
connected to the Internet... Although it is not necessary. Keeping your server
offline is one of the most effective ways to avoid serious security issues such
as data leaks and remote takeovers.
What is the most common reason for connecting servers to the Internet? Well,
the most common reason I hear is "I have to update it somehow."
There are a few ways to update offline servers very conveniently. Today I'll
show you how to do it very easily using ssh. It's not the optimal technique for
many servers, but you might find it useful.
A more efficient method for updating multiple hosts is described in my other
article about why you should keep most of your infrastructure
offline.
Read more
It's been a while since the premiere of the latest processors for the AM4
platform. That is exactly why it could be the best moment to build a powerful
workstation based on this platform (as it comes to performance + stability vs.
price). PCI-e 4.0 NVMEs are cheap and have successfully passed the test of
time, not to mention DDR4 memory which is widely available and also relatively
cheap.
It so happens that I have some AM4-based equipment left in the lab - it is a
great opportunity to start a new series about building the ultimate GNU/Linux
workstation from scratch.
Have you ever wondered what really affects the speed of your computer? Is it a
CPU? Or RAM? Not at all... The perceived speed of your system depends mainly on
the speed of your storage. I bet you have an intuition that the feeling of
using a computer with the latest processor and an old HDD would be very bad.
I will try to demonstrate how to push the speed of mass storage to its limits
using a regular home PC. I can assure you that this option is much cheaper
than buying a new computer with PCIe 5.0 and what's even more important - the
result is much better!
The goal of this series is to present an approach that will lead to building a
stable and powerful workstation capable of achieving enormous storage speeds (~30GB/s and more).
All this using Free (as in freedom) production-ready, server grade technology - GNU/Linux.
Read more
This part of the SSH series will cover the configuration of the OpenSSH client.
Configuration sources
The ssh client obtains configuration data from the following sources (in the
following order):
- command-line options,
- user's configuration file (
~/.ssh/config),
- global, system-wide configuration file (
/etc/ssh/ssh_config).
The client will use the first obtained value for each parameter. Configured
options will be used not only by the ssh itself, but by a lot of other tools
as well. That is, among others: scp, sftp, sshfs, git, ansible and
any other tool which uses the OpenSSH library/suite.
Read more
Introduction
The Secure Shell Protocol (SSH) is probably the most used protocol by
devops/sysadmins around the world.
Most people think of the SSH as a method of accessing a shell on a remote host.
The fact is that this is just one tiny usage example of the SSH. Some other
examples include:
- local port forwarding - connections to the given TCP port or Unix socket on
the local (client) host are to be forwarded to the given host and port, or
Unix socket, on the remote side.
- remote port forwarding - connections to the given TCP port or Unix socket
on the remote (server) host are to be forwarded to the local side,
- local dynamic application-level port forwarding (SOCKS proxy),
- remote dynamic application-level port forwarding (SOCKS proxy),
- tunnel device forwarding between the client and the server (L3
tun device) -
Virtual Private Network (VPN) tunnelling using the tun network
pseudo-device, allowing two networks to be joined securely,
- accessing and/or mounting a remote filesystem.
Being familiar with all the above features is absolutely essential for any SSH
user - both for the sake of convenience and for the security.
Read more
In this article, I will introduce the interesting field
of steganography. My goal is to show the basics of steganography and to present
a few techniques that will allow you to write clean, simple and, yet powerful
program.
What is steganography
Steganography is a practice of concealing a message within another message
(or a physical object) in such a way, that the message does not
attract attention to itself as an object of scrutiny.
Whereas cryptography is the practice of protecting the content of a message
alone, steganography is concerned with concealing the fact that a
secret message is sent.
Read more
I'm happy to publish my new blog. This is my second approach to finding my place
in the wide world of the Web. This page is intended to be a collection of
interesting articles which will not only allow you to discover new things,
but also gently introduce you to the details of GNU/Linux operating system,
programming, security and electronics.
Base on the conclusions from the previous blog - this time the articles will be
published in smaller parts, divided into series. Each series will consist of
several articles which together will present a complete solution to a certain
problem.
What to expect
- Fundamentals of the binary numeral system - why is it absolutely mandatory
for every programmer to understand binary numeral system - a detailed
explanation supported by many examples.
- The power of KISS principle - a world in which the user only needs to
know the basics to have enormous, almost unlimited possibilities. Introduction
to file descriptors, streams and pipes.
- The world after the encryption ban was introduced - how to keep privacy
and security using clever techniques? Step by step tutorial on how to use
KISS principle and modern C++ programming language (without any
external libraries) to write an ultimate solution.
- Meson build system - an elegant way to build and test your C++ projects.
The order in which articles will be published may be subject to change.
