Just a quick bash script
SNAP=backup-zfs_2026-04-24_10:34:38
POOL=tank
zfs list -H -o name -r $POOL | while read ds; do
if zfs list -H -t snapshot ${ds}@${SNAP} >/dev/null 2>&1; then
echo "[DATASET] $ds"
zfs diff ${ds}@${SNAP}
fi
done
Warpage and fail2ban via vector
A working version to block intruderce into warpgate
compose.yml
services:
warpgate:
container_name: warpgate
image: ghcr.io/warp-tech/warpgate
ports:
- 2222:2222
- 127.0.0.1:8888:8888
volumes:
- ./data:/data:Z
- ./sockets:/var/run
stdin_open: true
tty: true
restart: always
environment:
- WARPGATE__WEB__TRUST_PROXY_HEADERS=true
logging:
driver: json-file
options:
max-size: "50m"
max-file: "3"
vector:
image: timberio/vector:latest-alpine
container_name: vector
restart: unless-stopped
depends_on:
- warpgate
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./vector.yaml:/etc/vector/vector.yaml:ro
- /var/log/warpgate:/var/log/warpgate
command: ["--config", "/etc/vector/vector.yaml"]
vector.yaml
sources:
warpgate:
type: docker_logs
include_containers:
- warpgate
transforms:
to_fail2ban:
type: remap
inputs:
- warpgate
source: |
raw = string!(.message)
# ANSI Escape Codes entfernen (falls vorhanden)
msg = replace(raw, r'\x1b\[[0-9;]*m', "")
# --- 1) HTTP Login failed (401) ---
is_http_fail =
contains(msg, "WARN HTTP:") &&
contains(msg, "/@warpgate/api/auth/login") &&
contains(msg, "status=401") &&
contains(msg, "client_ip")
# --- 2) SSH Auth failed (Credentials/User/Password) ---
# Beispiel von dir:
# "ERROR SSH: Failed to verify credentials ... client_ip=::ffff:222.138.251.223"
is_ssh_fail =
contains(msg, "ERROR SSH:") &&
contains(msg, "Failed to verify credentials") &&
contains(msg, "client_ip")
if !(is_http_fail || is_ssh_fail) {
abort
}
# Zeitstempel robust
ts = format_timestamp!(now(), "%Y-%m-%dT%H:%M:%SZ")
# IP extrahieren
parsed = parse_regex!(msg, r'client_ip\s*=\s*(?P[0-9a-fA-F\.:]+)')
ip = parsed.ip
# IPv4-mapped IPv6 (::ffff:1.2.3.4) normalisieren -> 1.2.3.4
ip = replace(ip, r'^::ffff:', "")
# Ausgabezeile für fail2ban (einheitlich)
if is_http_fail {
.message = ts + " warpgate login failed (http) ip=" + ip
} else {
.message = ts + " warpgate login failed (ssh) ip=" + ip
}
sinks:
fail2ban_file:
type: file
inputs:
- to_fail2ban
path: "/var/log/warpgate/auth.log"
encoding:
codec: text
/etc/fail2ban/filter.d/warpgate.conf
[Definition] datepattern = ^%%Y-%%m-%%dT%%H:%%M:%%SZ failregex = ^.*warpgate login failed.* ip=\s*$ ignoreregex =
/etc/fail2ban/jail.d/warpgate.conf
[warpgate] enabled = true filter = warpgate logpath = /var/log/warpgate/auth.log maxretry = 5 findtime = 300 bantime = 900 banaction = iptables-docker-allports
/etc/fail2ban/action.d/iptables-docker-allports.conf
[Definition] # IPv4 actionstart = iptables -N f2b-|| true iptables -C DOCKER-USER -j f2b- || iptables -I DOCKER-USER -j f2b- iptables -A f2b- -j RETURN actionstop = iptables -D DOCKER-USER -j f2b- || true iptables -F f2b- || true iptables -X f2b- || true actioncheck = iptables -n -L DOCKER-USER | grep -q f2b- actionban = iptables -I f2b- 1 -s -j DROP actionunban = iptables -D f2b- -s -j DROP # IPv6 actionstart += ip6tables -N f2b- || true ip6tables -C DOCKER-USER -j f2b- || ip6tables -I DOCKER-USER -j f2b- ip6tables -A f2b- -j RETURN actionstop += ip6tables -D DOCKER-USER -j f2b- || true ip6tables -F f2b- || true ip6tables -X f2b- || true actioncheck += ip6tables -n -L DOCKER-USER | grep -q f2b- actionban += ip6tables -I f2b- 1 -s -j DROP actionunban += ip6tables -D f2b- -s -j DROP
fail2ban-regex /var/log/warpgate/auth.log /etc/fail2ban/filter.d/warpgate.conf
systemctl restart fail2ban
fail2ban-client status warpgate
pg 2.b not deep-scrubbed since…
With the ceph update that I nade to 19.2.3 I got warnings like
pg 2.b not deep-scrubbed since 2026-02-27T00:56:11.986819+0100 pg 2.fa not deep-scrubbed since 2026-02-27T05:32:34.264221+0100
It seems that sometimes the nightly deepscrub window is too short. I don#t like warnings in the dashboard from my proxmox cluster.
So I started to deep scrub that placement group (PG) on demand during buisness hours :D
ceph pg deep-scrub 2.b
I have 2048 PGs over 48 OSDs each 8 TiB. it took 20 Minutes to complete that one PG.
ceph speed test
Schreiben (4K random write, 16 threads, 10 Sekunden)
rados bench -p10 write --no-cleanup --object-size=4096 --concurrent-ios=16
Lesen (4K random read, 16 threads)
rados bench -p10 rand --object-size=4096 --concurrent-ios=16
Schreib und Lese Test mit 4MB der default Größe für Ceph
rados bench -p10 write --no-cleanup --object-size 4194304 --concurrent-ios 16
benchmark
bash -lc '
set -euo pipefail
POOL="ceph-ds"
SIZE="10G"
RUNTIME="30"
IODEPTH="32"
NUMJOBS="4"
RWMIXREAD="70" # 70/30 read/write wie oft bei VM-Workloads
BS="4k"
IMG="fio-bench-$(hostname -s)-$(date +%Y%m%d-%H%M%S)"
DEV=""
cleanup() {
set +e
echo ""
echo "[CLEANUP] unmap + remove (falls vorhanden) ..."
if [ -n "${DEV:-}" ]; then
rbd unmap "$DEV" >/dev/null 2>&1 || true
else
# falls DEV nicht gesetzt wurde, versuchen wir es über showmapped
rbd showmapped 2>/dev/null | awk -v p="$POOL" -v i="$IMG" '"'"'$2==p && $3==i {print $5}'"'"' | while read -r d; do
[ -n "$d" ] && rbd unmap "$d" >/dev/null 2>&1 || true
done
fi
rbd rm "${POOL}/${IMG}" >/dev/null 2>&1 || true
echo "[CLEANUP] fertig."
}
trap cleanup EXIT INT TERM
echo "[1/4] Create RBD image: ${POOL}/${IMG} (${SIZE})"
rbd create "${POOL}/${IMG}" --size "${SIZE}"
echo "[2/4] Map RBD image"
DEV="$(rbd map "${POOL}/${IMG}")"
echo " -> mapped as: ${DEV}"
echo "[3/4] fio VM-like test (randrw ${BS}, iodepth=${IODEPTH}, numjobs=${NUMJOBS}, rwmixread=${RWMIXREAD}, runtime=${RUNTIME}s)"
fio --name="ceph-rbd-${IMG}" \
--filename="${DEV}" \
--direct=1 --ioengine=libaio \
--rw=randrw --rwmixread="${RWMIXREAD}" \
--bs="${BS}" --iodepth="${IODEPTH}" --numjobs="${NUMJOBS}" \
--runtime="${RUNTIME}" --time_based=1 \
--group_reporting --eta=never
echo "[4/4] Done. Cleanup will run automatically."
'
Proxmox Cannot migrate conntrack state, target node is lacking support. Active network connections might get dropped.
As a quick fix. no reboot needed. On all your cluster nodes
Open each hosts console and run
modprobe nf_conntrack echo nf_conntrack >> /etc/modules
git push to all / multiple origins
Just a fancy alias
pushall = "!f(){ b=${1:-$(git rev-parse --abbrev-ref HEAD)}; for r in $(git remote); do echo \">>> pushing $b to $r\"; git push \"$r\" \"$b\"; done; }; f"
no matching MAC found. Their offer: hmac-sha2-512,hmac-sha2-256
A quicksolutiuon to this is to add MACs hmac-sha2-512,hmac-sha2-256
Host buggyhost.lan
User git
IdentityFile ~/.ssh/mykey
CheckHostIP no
MACs hmac-sha2-512,hmac-sha2-256
Windows Sever Eval zu Datacenter
DISM /online /Get-CurrentEdition
Mögliche Zielversion ermitteln
DISM /online /Get-TargetEditions
Beispielausgabe: ServerStandard, ServerDatacenter –> Hier war es natürlich ServerDatacenter
Version konvertieren:
DISM /online /Set-Edition:ServerDatacenter /ProductKey:JFTY6-2NDFG-KKYJ6-8G76H-4C4Q4 /AcceptEula
Es werden Windows-Updates installiert, es dauert noch etwas
private IP ranges
Some IP addresses and IP ranges are reserved for special use, such as for local or private networks,
and should not appear on the public internet. These reserved ranges, along with other IP ranges
that haven’t yet been allocated and therefore also shouldn’t appear on the public internet are
sometimes known as bogons.
Because bogon IP addresses don’t belong to a specific user or server on the internet, so there’s
no way to geolocate them.
## IPv4 Bogon Ranges
| Netblock | Description | |-------------------|-----------------------------------------------| |0.0.0.0/8 | "This" network | |10.0.0.0/8 | Private-use networks | |100.64.0.0/10 | Carrier-grade NAT | |127.0.0.0/8 | Loopback | |127.0.53.53 | Name collision occurrence | |169.254.0.0/16 | Link local | |172.16.0.0/12 | Private-use networks | |192.0.0.0/24 | IETF protocol assignments | |192.0.2.0/24 | TEST-NET-1 | |192.168.0.0/16 | Private-use networks | |198.18.0.0/15 | Network interconnect device benchmark testing | |198.51.100.0/24 | TEST-NET-2 | |203.0.113.0/24 | TEST-NET-3 | |224.0.0.0/4 | Multicast | |240.0.0.0/4 | Reserved for future use | |255.255.255.255/32 | Limited broadcast |
## IPv6 Bogon Ranges
| Netblock | Description | |--------------|-----------------------------------------------------------------------------------| |::/128 | Node-scope unicast unspecified address | |::1/128 | Node-scope unicast loopback address | |::ffff:0:0/96 | IPv4-mapped addresses | |::/96 | IPv4-compatible addresses | |100::/64 | Remotely triggered black hole addresses | |2001:10::/28 | Overlay routable cryptographic hash identifiers (ORCHID) | |2001:db8::/32 | Documentation prefix | |fc00::/7 | Unique local addresses (ULA) | |fe80::/10 | Link-local unicast | |fec0::/10 | Site-local unicast (deprecated) | |ff00::/8 | Multicast (Note: ff0e:/16 is global scope and may appear on the global internet.) |
## IPv6 Additional Bogon Ranges
These ranges aren’t officially IPv6 bogon ranges – they’re IPv6 representations of different IPv4 bogon ranges.
| Netblock | Description | |-----------------------|-----------------------------------| | 2002::/24 | 6to4 bogon (0.0.0.0/8) | | 2002:a00::/24 | 6to4 bogon (10.0.0.0/8) | | 2002:7f00::/24 | 6to4 bogon (127.0.0.0/8) | | 2002:a9fe::/32 | 6to4 bogon (169.254.0.0/16) | | 2002:ac10::/28 | 6to4 bogon (172.16.0.0/12) | | 2002:c000::/40 | 6to4 bogon (192.0.0.0/24) | | 2002:c000:200::/40 | 6to4 bogon (192.0.2.0/24) | | 2002:c0a8::/32 | 6to4 bogon (192.168.0.0/16) | | 2002:c612::/31 | 6to4 bogon (198.18.0.0/15) | | 2002:c633:6400::/40 | 6to4 bogon (198.51.100.0/24) | | 2002:cb00:7100::/40 | 6to4 bogon (203.0.113.0/24) | | 2002:e000::/20 | 6to4 bogon (224.0.0.0/4) | | 2002:f000::/20 | 6to4 bogon (240.0.0.0/4) | | 2002:ffff:ffff::/48 | 6to4 bogon (255.255.255.255/32) | | 2001::/40 | Teredo bogon (0.0.0.0/8) | | 2001:0:a00::/40 | Teredo bogon (10.0.0.0/8) | | 2001:0:7f00::/40 | Teredo bogon (127.0.0.0/8) | | 2001:0:a9fe::/48 | Teredo bogon (169.254.0.0/16) | | 2001:0:ac10::/44 | Teredo bogon (172.16.0.0/12) | | 2001:0:c000::/56 | Teredo bogon (192.0.0.0/24) | | 2001:0:c000:200::/56 | Teredo bogon (192.0.2.0/24) | | 2001:0:c0a8::/48 | Teredo bogon (192.168.0.0/16) | | 2001:0:c612::/47 | Teredo bogon (198.18.0.0/15) | | 2001:0:c633:6400::/56 | Teredo bogon (198.51.100.0/24) | | 2001:0:cb00:7100::/56 | Teredo bogon (203.0.113.0/24) | | 2001:0:e000::/36 | Teredo bogon (224.0.0.0/4) | | 2001:0:f000::/36 | Teredo bogon (240.0.0.0/4) | | 2001:0:ffff:ffff::/64 | Teredo bogon (255.255.255.255/32) |
Windows batch remove squared brackets
@echo off
setlocal enableextensions disabledelayedexpansion
set "search1=["
set "replace1=("
set "search2=]"
set "replace2=)"
set "textFile=test.txt"
(for /f "delims=" %%i in ('type "%textFile%"') do (
set "line=%%i"
setlocal enabledelayedexpansion
set "line=!line:%search1%=%replace1%!"
set "line=!line:%search2%=%replace2%!"
echo(!line!
endlocal
)) > "%textFile%.tmp"
move /y "%textFile%.tmp" "%textFile%" >nul