Welcome to Richard's Blog

Blog

  • TpLink Omada: Services→ DNS proxy with Cloudron AdGuard Home. We like using DoH on our router.

    I finally got this to work with cloudron AdGuard Home because it won’t work just use DNS port or encryption until you add IP or Client ID in allowed Clients, so I am using Client ID. This will show you how to set up DOH AdGuard Home with TpLink Omada DNS Proxy.

    This explains to us what Client IDs are, and I found DNS over HTTPS is useful for our networks, since I had a wildcard certification.

    Open AdGuard home and log into your admin account. Navigate to the DNS settings and find allow clients. I put laketapp that I would use for our stores nickname. Then make sure you save it.

    Then go to TpLink Omada Controller Webgui and Login your admin, then select the location you want to set DNS over HTTPS with cloudron AdGuard Home.

    After you select Location, go to Services on the left side.

    Then go to DNS Proxy then go enable DNS proxy then DoH then add your AdGuard Server, mine is https://laketapp.dns195.richardapplegate.io.

    Now go check AdGuard Home, see if there are any queries,

    yep, it’s working, Now My Router is communicating with my DNS Server secured.

  • I did build an Arista Firewall for Sunrise Village to protect against DDoS.

    I built another mini computer for Sunrise Village and added another network card to my mini computer for internal and external network. Not only that, but I also set Internal to “bridge” and set my Modem wire to firewall “external” and then firewall “internal” to a 1 gigabit switch. So I can put more Server in one 1gig switch. We had static IP, and we’re using these on our server, so My Firewall will not protect my server until I create rules and firewall and Threat Prevention and virus Blocker.

    We can upgrade to 2.5Gig or 10gig speed on our server and firewall, but our plans are 600mbps and 200mbps uploads, so it is enough for all my server to hosting on switch.

    Not only that, but we have Three locations that require a firewall. I set up a firewall at Sunrise Village a few days ago, and it is working well. We need to protect where our server is that runs all of our store network and slack alternative and cloud storage.

    User 1: Omada TpLink Router Hosting
    User 2: Web and Email Hosting
    User 3: all apps in one server solution.

    A firewall serves as a safeguard against distributed denial-of-service attacks on the Internet.
    The firewall on our modem is weak, and we’re still getting DDoS attacks. We need a better firewall, so we can’t worry about our server and network systems.

  • How to Protect Your SSH Server from Brute-Force Attacks with Fail2Ban on Ubuntu

    Fail2Ban is a free Python tool that helps protect Linux servers from brute-force attacks. It’s especially useful for securing SSH. With Fail2Ban, you can automatically block IPs that try to guess passwords on your server.

    Why Use Fail2Ban for SSH Protection?

    Brute-force attacks can cause thousands of failed login attempts every day. If your server uses password-based logins, you need a way to block attackers. Fail2Ban watches your log files and blocks any IP that tries—and fails—too many times.

    Step 1: Update Your Ubuntu Server

    First, make sure your system is up to date:

    sudo apt update && sudo apt upgrade

    Step 2: Install Fail2Ban

    Install Fail2Ban using apt:

    sudo apt-get install fail2ban

    Enable Fail2Ban to start automatically:

    sudo systemctl enable fail2ban.service

    Step 3: Configure SSH Protection

    Do not edit the default config file!
    Instead, create a new file for your custom settings:

    sudo nano /etc/fail2ban/jail.local

    Add these lines to protect your SSH server:

    [sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1

    What these settings mean:

    • enabled: Turns on protection for SSH
    • maxretry: Blocks an IP after 3 failed logins
    • findtime: Looks for failed attempts in a 5-minute window (300 seconds)
    • bantime: Blocks the IP for 1 hour (3600 seconds)
    • ignoreip: Never blocks your own server

    Step 4: Restart Fail2Ban

    Apply your new settings by restarting Fail2Ban:

    sudo systemctl restart fail2ban.service

    Now, Fail2Ban will automatically block any IP that fails to log in 3 times in a row.

    How to Unban an IP Address

    If you need to remove a ban, follow this guide on unbanning with Fail2Ban.

    With Fail2Ban, your Ubuntu server has stronger SSH brute-force protection. This makes your server safer and gives you peace of mind.

Secret Link