Welcome!
A bit of an ancient
web2.0 design,
Couple lines of code,
thoughts, photo and a charm. Read more
Linux
Everything that concerns. Go to category
Electronics
micro, radio,
and usual. Go to category
Photo
From different categories. View category
Everyone knows about the limits on the number of connections from one IP (IP-based), but what if we want to limit the number of connections to a certain API per authorization token?
And it doesn’t matter how many different IPs will be used.
Part of the nginx config:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | map $request_uri $client_token {
"~*(?i)(token=)([a-f0-9]{32})" $2; # regex return <32str>
default ""; # Fallback to limit_req_zone:global
}
limit_req_zone $binary_remote_addr zone=global:32m rate=100r/s; # Rule_1
limit_req_zone $client_token zone=tokenlimit:32m rate=5r/s; # Rule_2
limit_req zone=global burst=25;
server {
location / {
index index.html;
root /var/www/html;
}
location = /api {
index index.html;
root /var/www/api/html;
limit_req zone=tokenlimit burst=5 nodelay; # api location
limit_req zone=global; # Fallback
limit_req_status 429; # 503
|
12/January/2024 gdm3xorgkvmsecurity
Abstractly.
There is some software that needs X’s.
Download, install, launch - enjoy.
But here’s the problem: I don’t want to run software (absolutely everything that is not included in the standard debian repository.) like this on:
In addition, a browser for regular web surfing and a browser for client banking are not the same browser, user, and sometimes even system.
We will not consider points 1, 2, 4 now; we will talk about X.
In debian, with standard system settings, LightDM is used as the default display manager.
You can enable listen tcp in it, but it runs Xorg processes as root.
In gdm3, on the contrary, by default, it launches Xorg from the user who logs into the environment, but the ability to enable listen tcp was broken.
More precisely, they left the ability to disable nolisten tcp,
but not enable listen tcp.
To do this, you need to edit the wrapper over X.
We have a laptop with intel wifi onboard which sometimes failed due to overheating, or due to long-term uptime, or channel load / pps, or whatever.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | [2250886.567817] ieee80211 phy0: Hardware restart was requested [2250886.602451] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0 [2250886.899471] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0 [2250887.042217] iwlwifi 0000:24:00.0: Microcode SW error detected. Restarting 0x2000000. [2250887.042225] iwlwifi 0000:24:00.0: Loaded firmware version: 18.168.6.1 6000g2a-6.ucode [2250887.042348] iwlwifi 0000:24:00.0: Start IWL Error Log Dump: [2250887.042349] iwlwifi 0000:24:00.0: Status: 0x0000004C, count: 6 [2250887.042482] iwlwifi 0000:24:00.0: Start IWL Event Log Dump: nothing in log [2250887.042486] iwlwifi 0000:24:00.0: BUG_ON, Stop restarting [2250887.128058] iwlwifi 0000:24:00.0: Command REPLY_ADD_STA failed: FW Error [2250887.128063] wlan0: failed to remove key (0, 01:11:88:ab:2c:99) from hardware (-5) [2250887.128112] iwlwifi 0000:24:00.0: iwl_trans_wait_tx_queues_empty bad state = 0 [2250887.128132] iwlwifi 0000:24:00.0: Command REPLY_ADD_STA failed: FW Error [2250887.128133] wlan0: failed to remove key (1, ff:ff:ff:ff:ff:ff) from hardware (-5) [2250887.228460] iwlwifi 0000:24:00.0: Request scan called when driver not ready. [2250902.567848] iwlwifi 0000:24:00.0: Command REPLY_RXON failed: FW Error [2250902.567857] iwlwifi 0000:24:00.0: Error clearing ASSOC_MSK on BSS (-5) [2250902.587425] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0 [2250902.637530] iwlwifi 0000:24:00.0: Command COEX_PRIORITY_TABLE_CMD failed: FW Error [2250902.637535] iwlwifi 0000:24:00.0: Could not complete ALIVE transition: -5 [2250902.649786] iwlwifi 0000:24:00.0: Failed to run INIT ucode: -5 [2250902.649819] iwlwifi 0000:24:00.0: Unable to initialize device. [2250960.530138] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0 [2250960.665000] iwlwifi 0000:24:00.0: Unable to initialize device. |
Basic or simple option just reboot system. But when (always) you have million open windows and million shell tabs with runned scripts over mounted partitions, it’s not a vary good option.
Reload failed wifi...21/March/2023 lxcuidgidsecurity
Installing and configuring an unprivileged lxc container with uid/gid offset.
1 | LANG=C SUITE=bookworm MIRROR=https://ftp.debian.org/debian/ lxc-create --name=unprivileged-lxc --template=debian |
Let’s add additional subuids/subgids for the root user.
1 2 3 4 5 | usermod --add-subuids 200000-265535 root usermod --add-subgids 200000-265535 root # to remove subgroups # usermod --del-subuids 200000-265535 root # usermod --del-subgids 200000-265535 root |
27/January/2023 openvpnkernelwireguard
There are a lot of articles on the Internet about improving OpenVPN speed, and often they are all focused on the settings of the server-client itself, packet sizes, encryption algorithms or disabling them. Everyone compares OpenVPN to a WireGuard. WireGuard works in kernel space and that’s what determines everything. Compared to userspace for openvpn. But that’s not quite true.
Here I must immediately clarify, that the given method of solving the problem is specific for virtual machines with small memory size, from 1Gb to 8Gb, in other cases you need to compare memory, link bandwidth and speed.
Here is a list of dynamically set values relative to the system memory size:
sysctl net.core.rmem_defaultsysctl net.core.rmem_maxsysctl net.core.wmem_defaultsysctl net.core.wmem_maxsysctl net.core.somaxconnsysctl net.core.netdev_max_backlogsysctl net.core.optmem_maxsysctl net.ipv4.udp_memsysctl net.ipv4.udp_rmem_minsysctl net.ipv4.udp_wmem_minsysctl net.ipv4.tcp_memsysctl net.ipv4.tcp_rmemsysctl net.ipv4.tcp_wmemsysctl net.ipv4.tcp_synack_retriessysctl net.ipv4.tcp_keepalive_timesysctl net.ipv4.tcp_max_tw_buckets