Mario – Welcome to my world

Warpage and fail2ban via vector

Posted on 09.04.202623.04.2026 by mario

A working version to block intruderce into warpgate

compose.yml

services:
  warpgate:
    container_name: warpgate
    image: ghcr.io/warp-tech/warpgate
    ports:
      - 2222:2222
      - 127.0.0.1:8888:8888
    volumes:
      - ./data:/data:Z
      - ./sockets:/var/run
    stdin_open: true
    tty: true
    restart: always
    environment:
      - WARPGATE__WEB__TRUST_PROXY_HEADERS=true
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "3"
  vector:
    image: timberio/vector:latest-alpine
    container_name: vector
    restart: unless-stopped
    depends_on:
      - warpgate
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./vector.yaml:/etc/vector/vector.yaml:ro
      - /var/log/warpgate:/var/log/warpgate
    command: ["--config", "/etc/vector/vector.yaml"]

vector.yaml

sources:
  warpgate:
    type: docker_logs
    include_containers:
      - warpgate

transforms:
  to_fail2ban:
    type: remap
    inputs:
      - warpgate
    source: |
      raw = string!(.message)

      # ANSI Escape Codes entfernen (falls vorhanden)
      msg = replace(raw, r'\x1b\[[0-9;]*m', "")

      # --- 1) HTTP Login failed (401) ---
      is_http_fail =
        contains(msg, "WARN HTTP:") &&
        contains(msg, "/@warpgate/api/auth/login") &&
        contains(msg, "status=401") &&
        contains(msg, "client_ip")

      # --- 2) SSH Auth failed (Credentials/User/Password) ---
      # Beispiel von dir:
      # "ERROR SSH: Failed to verify credentials ... client_ip=::ffff:222.138.251.223"
      is_ssh_fail =
        contains(msg, "ERROR SSH:") &&
        contains(msg, "Failed to verify credentials") &&
        contains(msg, "client_ip")

      if !(is_http_fail || is_ssh_fail) {
        abort
      }

      # Zeitstempel robust
      ts = format_timestamp!(now(), "%Y-%m-%dT%H:%M:%SZ")

      # IP extrahieren
      parsed = parse_regex!(msg, r'client_ip\s*=\s*(?P[0-9a-fA-F\.:]+)')
      ip = parsed.ip


      # IPv4-mapped IPv6 (::ffff:1.2.3.4) normalisieren -> 1.2.3.4
      ip = replace(ip, r'^::ffff:', "")


      # Ausgabezeile für fail2ban (einheitlich)
      if is_http_fail {
        .message = ts + " warpgate login failed (http) ip=" + ip
      } else {
        .message = ts + " warpgate login failed (ssh) ip=" + ip
      }

sinks:
  fail2ban_file:
    type: file
    inputs:
      - to_fail2ban
    path: "/var/log/warpgate/auth.log"
    encoding:
      codec: text

/etc/fail2ban/filter.d/warpgate.conf

[Definition]
datepattern = ^%%Y-%%m-%%dT%%H:%%M:%%SZ
failregex   = ^.*warpgate login failed.* ip=\s*$
ignoreregex =

/etc/fail2ban/jail.d/warpgate.conf

[warpgate]
enabled  = true
filter   = warpgate
logpath  = /var/log/warpgate/auth.log

maxretry = 5
findtime = 300
bantime  = 900

banaction = iptables-docker-allports

/etc/fail2ban/action.d/iptables-docker-allports.conf

[Definition]

# IPv4
actionstart = iptables -N f2b- || true
              iptables -C DOCKER-USER -j f2b- || iptables -I DOCKER-USER -j f2b-
              iptables -A f2b- -j RETURN

actionstop = iptables -D DOCKER-USER -j f2b- || true
             iptables -F f2b- || true
             iptables -X f2b- || true

actioncheck = iptables -n -L DOCKER-USER | grep -q f2b-

actionban = iptables -I f2b- 1 -s  -j DROP

actionunban = iptables -D f2b- -s  -j DROP


# IPv6
actionstart += ip6tables -N f2b- || true
               ip6tables -C DOCKER-USER -j f2b- || ip6tables -I DOCKER-USER -j f2b-
               ip6tables -A f2b- -j RETURN

actionstop += ip6tables -D DOCKER-USER -j f2b- || true
              ip6tables -F f2b- || true
              ip6tables -X f2b- || true

actioncheck += ip6tables -n -L DOCKER-USER | grep -q f2b-

actionban += ip6tables -I f2b- 1 -s  -j DROP

actionunban += ip6tables -D f2b- -s  -j DROP

fail2ban-regex /var/log/warpgate/auth.log /etc/fail2ban/filter.d/warpgate.conf
systemctl restart fail2ban
fail2ban-client status warpgate

pg 2.b not deep-scrubbed since…

Posted on 13.03.2026 by mario

With the ceph update that I nade to 19.2.3 I got warnings like

pg 2.b not deep-scrubbed since 2026-02-27T00:56:11.986819+0100
pg 2.fa not deep-scrubbed since 2026-02-27T05:32:34.264221+0100

It seems that sometimes the nightly deepscrub window is too short. I don#t like warnings in the dashboard from my proxmox cluster.
So I started to deep scrub that placement group (PG) on demand during buisness hours :D

ceph pg deep-scrub 2.b

I have 2048 PGs over 48 OSDs each 8 TiB. it took 20 Minutes to complete that one PG.

ceph speed test

Posted on 12.03.2026 by mario

Schreiben (4K random write, 16 threads, 10 Sekunden)

rados bench -p  10 write --no-cleanup --object-size=4096 --concurrent-ios=16

Lesen (4K random read, 16 threads)

rados bench -p  10 rand --object-size=4096 --concurrent-ios=16

Schreib und Lese Test mit 4MB der default Größe für Ceph

rados bench -p  10 write --no-cleanup --object-size 4194304 --concurrent-ios 16

benchmark

bash -lc '
set -euo pipefail

POOL="ceph-ds"
SIZE="10G"
RUNTIME="30"
IODEPTH="32"
NUMJOBS="4"
RWMIXREAD="70"   # 70/30 read/write wie oft bei VM-Workloads
BS="4k"

IMG="fio-bench-$(hostname -s)-$(date +%Y%m%d-%H%M%S)"
DEV=""

cleanup() {
  set +e
  echo ""
  echo "[CLEANUP] unmap + remove (falls vorhanden) ..."
  if [ -n "${DEV:-}" ]; then
    rbd unmap "$DEV" >/dev/null 2>&1 || true
  else
    # falls DEV nicht gesetzt wurde, versuchen wir es über showmapped
    rbd showmapped 2>/dev/null | awk -v p="$POOL" -v i="$IMG" '"'"'$2==p && $3==i {print $5}'"'"' | while read -r d; do
      [ -n "$d" ] && rbd unmap "$d" >/dev/null 2>&1 || true
    done
  fi
  rbd rm "${POOL}/${IMG}" >/dev/null 2>&1 || true
  echo "[CLEANUP] fertig."
}
trap cleanup EXIT INT TERM

echo "[1/4] Create RBD image: ${POOL}/${IMG} (${SIZE})"
rbd create "${POOL}/${IMG}" --size "${SIZE}"

echo "[2/4] Map RBD image"
DEV="$(rbd map "${POOL}/${IMG}")"
echo "      -> mapped as: ${DEV}"

echo "[3/4] fio VM-like test (randrw ${BS}, iodepth=${IODEPTH}, numjobs=${NUMJOBS}, rwmixread=${RWMIXREAD}, runtime=${RUNTIME}s)"
fio --name="ceph-rbd-${IMG}" \
    --filename="${DEV}" \
    --direct=1 --ioengine=libaio \
    --rw=randrw --rwmixread="${RWMIXREAD}" \
    --bs="${BS}" --iodepth="${IODEPTH}" --numjobs="${NUMJOBS}" \
    --runtime="${RUNTIME}" --time_based=1 \
    --group_reporting --eta=never

echo "[4/4] Done. Cleanup will run automatically."
'

Proxmox Cannot migrate conntrack state, target node is lacking support. Active network connections might get dropped.

Posted on 08.10.2025 by mario

As a quick fix. no reboot needed. On all your cluster nodes

Open each hosts console and run

modprobe nf_conntrack
echo nf_conntrack >> /etc/modules

git push to all / multiple origins

Posted on 29.09.202526.09.2025 by mario

Just a fancy alias

pushall = "!f(){ b=${1:-$(git rev-parse --abbrev-ref HEAD)}; for r in $(git remote); do echo \">>> pushing $b to $r\"; git push \"$r\" \"$b\"; done; }; f"

no matching MAC found. Their offer: hmac-sha2-512,hmac-sha2-256

Posted on 26.09.202526.09.2025 by mario

A quicksolutiuon to this is to add MACs hmac-sha2-512,hmac-sha2-256

Host buggyhost.lan
    User git
    IdentityFile ~/.ssh/mykey
    CheckHostIP no
    MACs hmac-sha2-512,hmac-sha2-256

Windows Sever Eval zu Datacenter

Posted on 23.09.2025 by mario

DISM /online /Get-CurrentEdition

Mögliche Zielversion ermitteln

DISM /online /Get-TargetEditions

Beispielausgabe: ServerStandard, ServerDatacenter –> Hier war es natürlich ServerDatacenter

Version konvertieren:

DISM /online /Set-Edition:ServerDatacenter /ProductKey:JFTY6-2NDFG-KKYJ6-8G76H-4C4Q4 /AcceptEula

Es werden Windows-Updates installiert, es dauert noch etwas

private IP ranges

Posted on 19.05.2025 by mario

Some IP addresses and IP ranges are reserved for special use, such as for local or private networks,
and should not appear on the public internet. These reserved ranges, along with other IP ranges
that haven’t yet been allocated and therefore also shouldn’t appear on the public internet are
sometimes known as bogons.

Because bogon IP addresses don’t belong to a specific user or server on the internet, so there’s
no way to geolocate them.

## IPv4 Bogon Ranges


| Netblock          | Description                                   |
|-------------------|-----------------------------------------------|
|0.0.0.0/8          | "This" network                                |
|10.0.0.0/8         | Private-use networks                          |
|100.64.0.0/10      | Carrier-grade NAT                             |
|127.0.0.0/8        | Loopback                                      |
|127.0.53.53        | Name collision occurrence                     |
|169.254.0.0/16     | Link local                                    |
|172.16.0.0/12      | Private-use networks                          |
|192.0.0.0/24       | IETF protocol assignments                     |
|192.0.2.0/24       | TEST-NET-1                                    |
|192.168.0.0/16     | Private-use networks                          |
|198.18.0.0/15      | Network interconnect device benchmark testing |
|198.51.100.0/24    | TEST-NET-2                                    |
|203.0.113.0/24     | TEST-NET-3                                    |
|224.0.0.0/4        | Multicast                                     |
|240.0.0.0/4        | Reserved for future use                       |
|255.255.255.255/32 | Limited broadcast                             |

## IPv6 Bogon Ranges

| Netblock     | Description                                                                       |
|--------------|-----------------------------------------------------------------------------------|
|::/128        | Node-scope unicast unspecified address                                            |
|::1/128       | Node-scope unicast loopback address                                               |
|::ffff:0:0/96 | IPv4-mapped addresses                                                             |
|::/96         | IPv4-compatible addresses                                                         |
|100::/64      | Remotely triggered black hole addresses                                           |
|2001:10::/28  | Overlay routable cryptographic hash identifiers (ORCHID)                          |
|2001:db8::/32 | Documentation prefix                                                              |
|fc00::/7      | Unique local addresses (ULA)                                                      |
|fe80::/10     | Link-local unicast                                                                |
|fec0::/10     | Site-local unicast (deprecated)                                                   |
|ff00::/8      | Multicast (Note: ff0e:/16 is global scope and may appear on the global internet.) |

## IPv6 Additional Bogon Ranges

These ranges aren’t officially IPv6 bogon ranges – they’re IPv6 representations of different IPv4 bogon ranges.

| Netblock              | Description                       |
|-----------------------|-----------------------------------|
| 2002::/24             | 6to4 bogon (0.0.0.0/8)            |
| 2002:a00::/24         | 6to4 bogon (10.0.0.0/8)           |
| 2002:7f00::/24        | 6to4 bogon (127.0.0.0/8)          |
| 2002:a9fe::/32        | 6to4 bogon (169.254.0.0/16)       |
| 2002:ac10::/28        | 6to4 bogon (172.16.0.0/12)        |
| 2002:c000::/40        | 6to4 bogon (192.0.0.0/24)         |
| 2002:c000:200::/40    | 6to4 bogon (192.0.2.0/24)         |
| 2002:c0a8::/32        | 6to4 bogon (192.168.0.0/16)       |
| 2002:c612::/31        | 6to4 bogon (198.18.0.0/15)        |
| 2002:c633:6400::/40   | 6to4 bogon (198.51.100.0/24)      |
| 2002:cb00:7100::/40   | 6to4 bogon (203.0.113.0/24)       |
| 2002:e000::/20        | 6to4 bogon (224.0.0.0/4)          |
| 2002:f000::/20        | 6to4 bogon (240.0.0.0/4)          |
| 2002:ffff:ffff::/48   | 6to4 bogon (255.255.255.255/32)   |
| 2001::/40             | Teredo bogon (0.0.0.0/8)          |
| 2001:0:a00::/40       | Teredo bogon (10.0.0.0/8)         |
| 2001:0:7f00::/40      | Teredo bogon (127.0.0.0/8)        |
| 2001:0:a9fe::/48      | Teredo bogon (169.254.0.0/16)     |
| 2001:0:ac10::/44      | Teredo bogon (172.16.0.0/12)      |
| 2001:0:c000::/56      | Teredo bogon (192.0.0.0/24)       |
| 2001:0:c000:200::/56  | Teredo bogon (192.0.2.0/24)       |
| 2001:0:c0a8::/48      | Teredo bogon (192.168.0.0/16)     |
| 2001:0:c612::/47      | Teredo bogon (198.18.0.0/15)      |
| 2001:0:c633:6400::/56 | Teredo bogon (198.51.100.0/24)    |
| 2001:0:cb00:7100::/56 | Teredo bogon (203.0.113.0/24)     |
| 2001:0:e000::/36      | Teredo bogon (224.0.0.0/4)        |
| 2001:0:f000::/36      | Teredo bogon (240.0.0.0/4)        |
| 2001:0:ffff:ffff::/64 | Teredo bogon (255.255.255.255/32) |

Windows batch remove squared brackets

Posted on 26.03.2025 by mario

@echo off
setlocal enableextensions disabledelayedexpansion

set "search1=["
set "replace1=("
set "search2=]"
set "replace2=)"

set "textFile=test.txt"

(for /f "delims=" %%i in ('type "%textFile%"') do (
    set "line=%%i"
    setlocal enabledelayedexpansion
    set "line=!line:%search1%=%replace1%!"
    set "line=!line:%search2%=%replace2%!"
    echo(!line!
    endlocal
)) > "%textFile%.tmp"

move /y "%textFile%.tmp" "%textFile%" >nul

Read all user from windows AD

Posted on 13.03.202513.02.2025 by mario

Read all user from windows AD

$ExportPath = 'C:\Users\administrator\ad-export'

$groupNames = (Get-ADGroup -Filter * -SearchBase "OU=Groups,OU=Users,DC=local,DC=exmaple")

foreach ($group in $groupNames) {
$fileName = (Get-ADGroup $group | Select-Object SamAccountName | Out-String -Stream)
$fileName2 = (
$fileName.
replace('@{Name=','').
replace('}','').
replace('\','').
Replace('SamAccountName','').
Replace('----------','').
replace('\\r\\n','').
replace('\r\n','').
replace('----','').
replace(' ','')
)
$path = $ExportPath + "\" + $fileName2 + ".csv"
Get-ADGroup $group | Get-ADGroupMember -Recursive | Get-ADUser -Properties * | Select SamAccountName, Surname, GivenName, Title, Mail | Export-Csv -NoType -Encoding UTF8 -Delimiter ";" $path
}