Posts

Any server with SSH exposed to the internet will see constant brute-force login attempts. fail2ban is a simple, effective way to deal with them. Installation apt update && apt install -y fail2ban Configuration Never edit /etc/fail2ban/jail.conf directly — it gets overwritten on updates. Create a local override: cat > /etc/fail2ban/jail.local << EOF [sshd] enabled = true port = 22 logpath = /var/log/auth.log maxretry = 3 bantime = 7200 findtime = 600 EOF This configuration: ...

Managing SSL certificates manually is tedious and error-prone. Here’s how I set up fully automated certificate management using acme.sh with Cloudflare DNS validation. Why acme.sh + DNS-01? No port 80 required: DNS-01 validation doesn’t need a running web server or open HTTP port Wildcard support: Can issue *.example.com certificates Cloudflare integration: API-based, fully automated Lightweight: Pure shell script, no dependencies Installation curl https://get.acme.sh | sh -s email=you@example.com source ~/.bashrc Cloudflare API Token Create a token at Cloudflare Dashboard with these permissions: ...

If you’re running a server that handles long-distance TCP connections, switching from the default Cubic to BBR can make a noticeable difference in throughput. What is BBR? BBR (Bottleneck Bandwidth and Round-trip propagation time) is a congestion control algorithm developed by Google. Unlike loss-based algorithms like Cubic, BBR tries to model the actual bottleneck bandwidth and RTT, leading to better performance on lossy or high-latency links. Check Current Algorithm sysctl net.ipv4.tcp_congestion_control Most modern kernels default to cubic. ...

WireGuard has become my go-to VPN solution for connecting remote machines. It’s fast, simple, and the configuration is refreshingly minimal compared to OpenVPN or IPSec. Why WireGuard? After years of wrestling with OpenVPN configs, WireGuard feels like a breath of fresh air: Performance: Runs in kernel space, significantly less overhead Simplicity: A single config file per interface Modern cryptography: ChaCha20, Curve25519, BLAKE2s — no cipher negotiation headaches Small codebase: ~4,000 lines of code vs. OpenVPN’s ~100,000+ Installation On Debian 12 (Bookworm), WireGuard is available directly: ...