https://blog.wgz.sh/tags/security/ Recent content in Security on wgz.sh Hugo -- 0.153.1 en-us Sun, 26 Apr 2026 20:14:30 -0400 https://blog.wgz.sh/posts/proxmox-firewall/ Sun, 26 Apr 2026 20:14:30 -0400 https://blog.wgz.sh/posts/proxmox-firewall/ <h2 id="intro">Intro</h2> <p>In my homelab I&rsquo;ve been tediously managing firewall rules using <code>ufw</code>, <code>iptables</code>, and <code>fail2ban</code>. While this works well, I believe it&rsquo;s overly complicated for my setup. This led me down the rabbit hole of how to implement firewall rules in Proxmox.</p> <p>Proxmox&rsquo;s firewall is extremely competent, but it can be tricky as well.</p> <p>One thing I learned about Proxmox is that you need to make sure the firewall is enabled in multiple places. You have several layers of firewalling, one for the hosts, one for the VMs, and one for services running in VNETs. These firewall rules are backed by either <code>iptables</code> or the more modern <code>nftables</code> in the case of VNETs.</p> https://blog.wgz.sh/posts/fail2ban-logging/ Wed, 31 Dec 2025 15:49:37 -0500 https://blog.wgz.sh/posts/fail2ban-logging/ <p>Hello everyone!</p> <p>Today I wanted to discuss how I&rsquo;m keeping track of Fail2ban logs on my Proxmox cluster.</p> <p>For those of you who don&rsquo;t know what <a href="https://github.com/fail2ban/fail2ban">Fail2ban</a> is, it is a simple program that can automatically ban threats via iptables by parsing log files and scanning for regex patterns.</p> <p>Here is a sample file that can be parsed:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#f92672">[</span>Definition<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span>failregex <span style="color:#f92672">=</span> pvedaemon<span style="color:#ae81ff">\[</span>.*authentication failure; rhost<span style="color:#f92672">=</span>&lt;HOST&gt; user<span style="color:#f92672">=</span>.* msg<span style="color:#f92672">=</span>.* </span></span><span style="display:flex;"><span>ignoreregex <span style="color:#f92672">=</span> </span></span></code></pre></div><p>And here is the the jail configuration:</p> https://blog.wgz.sh/posts/yubi/ Mon, 24 Nov 2025 21:38:36 -0400 https://blog.wgz.sh/posts/yubi/ <p>Hey Everyone!</p> <p>I wanted to share a small (pun intended) improvement to my personal security hygiene.</p> <p>That small improvement is called a <a href="https://www.yubico.com/">YubiKey</a>! For those unaware, a YubiKey is a hardware-based MFA device. It supports an MFA standard known as FIDO2, which is much more secure than TOTP.</p> <p><img alt="alt text" loading="lazy" src="https://blog.wgz.sh/images/yubikey.png"></p> <p>I&rsquo;ve begun implementing this across various applications including my personal email, DNS provider, and even 1Password. The main draw for me is that if any of your authenticator apps are compromised, you are still susceptible to a hack.</p> https://blog.wgz.sh/posts/password-managers/ Sat, 09 Aug 2025 14:39:16 -0400 https://blog.wgz.sh/posts/password-managers/ <p>What are your favorite password managers?</p> <p>I used to use LastPass, and while it worked fine for me, I eventually switched to 1Password and haven’t looked back.</p> <p>What I really like about 1Password is the extra layers of authentication. You either need a secret key or another authenticated device to approve your login. Plus, you can stack that with MFA for even more security. Last I checked, LastPass doesn’t have a secret key, just MFA.</p>