Seguridad on Servicios Rogeliowar

Wazuh SIEM with Docker: complete deployment with SSL and compliance rules

Fri, 22 May 2026 00:00:00 +0000

What is ENS and Why It Matters
#

The National Security Framework (ENS) is the mandatory cybersecurity regulatory framework for Spanish Public Administrations and private companies that provide services to them. It is regulated by the Royal Decree 311/2022 and establishes the principles, requirements, and security measures that must be applied to information systems that handle public data or services.

Connect your mobile to SSH from anywhere with WireGuard and Termius

Tue, 19 May 2026 00:00:00 +0000

The Problem
#

I needed to access my home server via SSH from my mobile phone without exposing it directly to the internet. The obvious options were bad: opening port 22 to the world is suicidal, and trusting third-party apps with root access didn’t convince me. The solution that worked: WireGuard + Termius.

Why This Combination
#

WireGuard is lightweight, fast, and consumes little battery on mobile devices. Termius is a polished SSH client that handles private keys well. Together, you have secure access without complications.

How to Clean Up Exposed Credentials in Git with git-filter-repo and Rotate Tokens

Tue, 19 May 2026 00:00:00 +0000

The Real Problem
#

I recently realized I had pushed a .env file with API credentials to a private repository. Even though it was private, that’s no excuse. A compromised access, a repository that becomes public, or simply a security audit would have exposed my tokens. I learned that I can’t rely on deleting files in subsequent commits—Git keeps all the history.

Restic: encrypted backups with deduplication for your Linux server

Mon, 11 May 2026 00:00:00 +0000

I already had backups with rsync and cron, but rsync copies files, not snapshots. If you accidentally delete a file and the backup syncs before you notice, you lose it. Restic solves that and adds something rsync will never provide: AES-256 encryption, deduplication, and snapshots with navigable history.

What makes Restic different
#

Feature	rsync	Restic
AES-256 encryption	No	Yes
Deduplication	No	Yes (block-level)
Navigable snapshots	No	Yes
Multiple backends	No	SFTP, S3, Backblaze, rclone…
Integrity checking	No	`restic check`
Retention policy	Manual	`restic forget --prune`

Deduplication is especially useful for database backups and configuration directories that change little: a Restic repository with 6 months of daily backups usually takes up much less space than 180 full copies.

VPN with Wireguard in Docker: Secure access to internal services without exposing ports

Wed, 06 May 2026 00:00:00 +0000

Why you need this
#

A few months ago I faced a common problem: I wanted to access my internal services (Jellyfin, Home Assistant, etc.) from outside my home, but I didn’t want to expose them directly on the internet. Opening ports is an unnecessary risk. The solution was to set up a VPN with Wireguard in Docker. It was the best decision I made for my home infrastructure.

Hardening Linux servers: practical guide

Fri, 01 May 2026 00:00:00 +0000

Server Security Hardening: Essential Steps
#

Having a server exposed to the Internet without minimal security configuration is leaving the door wide open. In this article, I’ve compiled the steps I apply on my own servers to reduce the attack surface without complicating day-to-day management.

SSH: the first line of defense
#

The SSH service is the most attacked entry point on any Linux server. These are the most important settings in /etc/ssh/sshd_config:

Fail2ban to protect SSH and Nginx: practical configuration on Ubuntu

Thu, 30 Apr 2026 00:00:00 +0000

The Problem: Brute Force Attacks
#

After exposing my Ubuntu server to the internet, I spent a night reviewing logs. SSH received failed login attempts every second. Nginx also had suspicious requests to common routes. I needed something to block these attempts automatically. Fail2ban was my solution.

Installation
#

sudo apt update
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Verify that it’s running:

Security email notifications from the terminal with msmtp and Gmail

Thu, 30 Apr 2026 00:00:00 +0000

Why you need this
#

When you run a server at home, you need to know if something strange happens. A script that sends you an email when it detects a failed login attempt, an expiring certificate, or a nearly full disk is invaluable. The problem is that your ISP blocks port 25, so you can’t use sendmail directly. That’s where msmtp comes in.

SSH authentication by public key: disable passwords on Ubuntu Server

Thu, 30 Apr 2026 00:00:00 +0000

Why Switch to Key-Based Authentication
#

After months of maintaining a home server with open SSH access, I got tired of brute force password attacks. Switching to public key authentication was the best security decision I made. Keys are mathematically impossible to crack through brute force, while passwords are always a target.

SSH Key Generation
#

First, generate a key pair on your local machine (not on the server):

WireGuard VPN: Access your home server from anywhere

Thu, 30 Apr 2026 00:00:00 +0000

One of the classic problems with having a server at home is secure remote access. Opening SSH ports directly to the world is a bad idea — you see it in the auth logs: hundreds of attempts per day. The elegant solution is a VPN, and WireGuard is today’s best available option.

Why WireGuard?
#

Compared to OpenVPN or IPSec:

Seguridad on Servicios Rogeliowar

Wazuh SIEM with Docker: complete deployment with SSL and compliance rules

What is ENS and Why It Matters #

Connect your mobile to SSH from anywhere with WireGuard and Termius

The Problem #

Why This Combination #

How to Clean Up Exposed Credentials in Git with git-filter-repo and Rotate Tokens

The Real Problem #

Restic: encrypted backups with deduplication for your Linux server

What makes Restic different #

VPN with Wireguard in Docker: Secure access to internal services without exposing ports

Why you need this #

Hardening Linux servers: practical guide

Server Security Hardening: Essential Steps #

SSH: the first line of defense #

Fail2ban to protect SSH and Nginx: practical configuration on Ubuntu

The Problem: Brute Force Attacks #

Installation #

Security email notifications from the terminal with msmtp and Gmail

Why you need this #

SSH authentication by public key: disable passwords on Ubuntu Server

Why Switch to Key-Based Authentication #

SSH Key Generation #

WireGuard VPN: Access your home server from anywhere

Why WireGuard? #

What is ENS and Why It Matters
#

The Problem
#

Why This Combination
#

The Real Problem
#

What makes Restic different
#

Why you need this
#

Server Security Hardening: Essential Steps
#

SSH: the first line of defense
#

The Problem: Brute Force Attacks
#

Installation
#

Why you need this
#

Why Switch to Key-Based Authentication
#

SSH Key Generation
#

Why WireGuard?
#