Joseph Palacios

Wazuh Home Lab Setup with Docker

email@sample.com (Joseph) — Mon, 16 Mar 2026 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2026-03-16-wazuh-homelab-setup/ -

Hello,

This is how I set up Wazuh on a single Debian host using Docker. Wazuh is an open source security platform that handles threat detection, log analysis, and endpoint monitoring. I’ll go through the installation, changing the default passwords, and how I deployed a Windows agent.

I’m running three containers on one Debian host. The indexer handles data storage, the manager processes events and applies rules, and the dashboard is the web UI I access on port 443. Agents on other machines report back to the manager on port 1514.

Prerequisites

Debian Linux host running as root
Docker and Docker Compose installed
At least 4 CPU cores, 8GB RAM, and 50GB of disk

1. Fix Docker Repo Duplicate (if needed)

I ran into a duplicate source error with apt. If you hit the same thing, just remove the extra entry:

rm /etc/apt/sources.list.d/docker.list
apt update

2. Set Kernel Parameter

Wazuh’s indexer (OpenSearch) needs a higher virtual memory limit. I set it and made it persist on reboot:

sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" >> /etc/sysctl.conf

3. Clone the Repo

git clone https://github.com/wazuh/wazuh-docker.git -b v4.14.3
cd wazuh-docker/single-node/

4. Generate Certificates

docker compose -f generate-indexer-certs.yml run --rm generator

5. Start Wazuh

docker compose up -d

Once it’s up, I accessed the dashboard at https://<your-host-ip>. You’ll get a browser SSL warning since it uses a self-signed cert. Click Advanced and proceed.

The default credentials are admin / SecretPassword. I’d strongly recommend changing these before doing anything else.

Changing the Default Password

Admin (Dashboard) Password

1. I stopped the stack first:

docker compose down

2. Then generated a new password hash:

docker run --rm -ti wazuh/wazuh-indexer:4.14.3 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

3. I pasted the hash into config/wazuh_indexer/internal_users.yml:

admin:
 hash: "<YOUR_NEW_HASH>"

4. I also updated the plaintext password in docker-compose.yml. Replace every occurrence of SecretPassword with your new one. If your password has a $ in it, double it (e.g. My$$Pass) or it’ll break.

5. Started it back up:

docker compose up -d

6. Then I exec’d into the indexer container to apply the security config:

docker exec -it single-node-wazuh.indexer-1 bash

Inside the container I ran:

export INSTALLATION_DIR=/usr/share/wazuh-indexer
export CONFIG_DIR=$INSTALLATION_DIR/config
CACERT=$CONFIG_DIR/certs/root-ca.pem
KEY=$CONFIG_DIR/certs/admin-key.pem
CERT=$CONFIG_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd $CONFIG_DIR/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl

After exiting the container I was able to log in with the new credentials.

API User (`wazuh-wui`) Password

1. I updated config/wazuh_dashboard/wazuh.yml:

hosts:
 - 1513629884013:
 url: "https://wazuh.manager"
 port: 55000
 username: wazuh-wui
 password: "YourNewPassword"

2. I also updated API_PASSWORD in docker-compose.yml for both the manager and dashboard sections.

3. Then restarted:

docker compose down
docker compose up -d

Keep in mind the API password must be 8-64 characters and include uppercase, lowercase, a number, and a symbol.

Deploying a Windows Agent

I went to Server Management → Endpoints Summary → Deploy new agent in the dashboard.

I opened PowerShell as Administrator by right-clicking the Start menu.

I ran ipconfig first to grab my IP so I knew what to use as the manager address.

I filled in the server address in the deploy wizard and ran the install command:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.14.3-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='<YOUR_HOST_IP>' WAZUH_AGENT_NAME='Win-Test'

Then started the service:

NET START WazuhSvc

It showed up as active in the dashboard within a minute.

Troubleshooting

Make sure port 1514 is open inbound on your Debian host
On Windows, always run PowerShell as Administrator
Agents can take a minute or two to appear after starting
Check Windows agent logs at C:\Program Files (x86)\ossec-agent\ossec.log

- https://josephpalacios.org/posts/2026-03-16-wazuh-homelab-setup/ -

My Home Network

email@sample.com (Joseph) — Fri, 13 Mar 2026 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2026-03-13-my-homelab-network-setup/ -

This is an overview of my current home network setup, including the hardware, VLAN layout, and some things I’d do differently. A follow-up post will cover the storage and services side.

Topology Overview

Everything runs through OPNsense, which handles routing, firewalling, and WireGuard for remote access. From there it trunks down to two managed switches over 802.1Q, and each switch powers a TP-Link EAP610 access point via PoE+.

The two APs are managed through Omada and each broadcasts three SSIDs mapped to different VLANs: Trusted, IoT, and Guest.

Switches

This is where I’d do things differently if I were starting over. My 2.5G PoE switch handles the heavier traffic, specifically my Proxmox cluster and TrueNAS server. I went with a cheap Chinese brand because it had the specs I wanted at the price, but it’s been a headache. The interface is confusing, support is basically nonexistent, and it doesn’t fit naturally with the rest of my setup.

My second switch is a TP-Link, and the difference is noticeable. The UI is clean, configuration is straightforward, and it works the way you’d expect.

If I were doing this again, I’d just buy two TP-Link switches from the start. Saving money on networking hardware isn’t worth the frustration when things don’t work the way you expect.

Access Points

Both APs are TP-Link EAP610s running Wi-Fi 6 with WPA3. Omada makes managing them easy, especially for VLAN tagging per SSID. Roaming between the two is seamless.

VLANs

All VLANs are carved out of a 10.212.0.0/18 block and trunked from OPNsense to both switches.

VLAN	Subnet
LAN	10.212.1.0/24
Servers	10.212.10.0/24
Trusted	10.212.20.0/24
IoT	10.212.30.0/24
Guest	10.212.40.0/24
Management	10.212.99.0/24

The Management VLAN is locked down and only used for accessing network hardware. Servers get their own subnet isolated from the main LAN. IoT and Guest are both restricted from reaching anything internal.

What I Learned

Mixing a cheap 2.5G switch into my TP-Link network has caused me some issues. I can’t integrate it with Omada (TP-Link’s SDN) and the firmware is pretty outdated. I’m also worried about reliability, though it’s held up for about a year now. Whether that’s a sign of decent quality or just luck, I honestly can’t tell.

- https://josephpalacios.org/posts/2026-03-13-my-homelab-network-setup/ -

How I Passed Cisco CCNA

email@sample.com (Joseph) — Wed, 25 Feb 2026 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2026-02-25-how-i-passed-cisco-ccna/ -

Passing the CCNA

Hello, I recently passed the CCNA and it was very hard. So far I have taken four certificate exams and this one was the hardest. The questions were harder and the mechanics of the test was more challenging. Here are my tips for passing.

Taking the test

Lets start with the mechanics of the test since this is will change the way you take on this exam. You cannot go back to your pervious questions, so no skipping the hard question until the end. Making time management a way more important skill in this exam compared to others. You are given two hours to pass, with differing amount of questions and labs. My only tip for this is to know what questions to its worth taking your time on. Personally I felt like I spent a lot of time overthinking questions, I was worried about getting a trick question. You should always take a doubt take with your answers, does this make sense, are their any other variable questions, do I fully understand this question or should I take a guess. Avoid any overthinking but do take a small double take.

Studying tips

You can pass the CCNA with buying any additional studying guides, or labs. A lot of the additonal materials is only worth it if your fine learning beyond the CCNA. The offical CCNA book is a great resource but it’s abit too much if your just planning to learn the material from the CCNA, unless you learn best from reading. I would personally recommend Jeremy’s IT Lab CCNA course. It’s free and a amazing resource. It gives you everything you might need for passing. Jermey’s course provides flash cards, labs, and a full course.

- https://josephpalacios.org/posts/2026-02-25-how-i-passed-cisco-ccna/ -

Goodbye WordPress, Hello Hugo

email@sample.com (Joseph) — Thu, 19 Feb 2026 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2026-02-19-my-first-post/ -

Hello, this is my first post on my new website. I wanted to get away from WordPress and learn some web dev in the process. The site is still pretty rough around the edges, but it’s mine and I’m happy with it so far.

One thing I already like is that blog posts are written in markdown. It’s a lot less friction than the WordPress editor, so hopefully I’ll actually write more.

How I Built It

I’m using Hugo, a static site generator. You write your posts in markdown, and Hugo compiles everything into plain HTML and CSS. No database, no plugins, no WordPress updates breaking things at random. The whole site lives in a Git repository, which I also wanted to learn more about.

The theme is Diary by AmazingRise. I customized it with a Catppuccin color scheme and a homepage layout I built myself with some help.

What’s Next

I’ll be moving my older posts over from the old site, though most of them will get rewritten. I’m not happy with the quality of some of the older ones and I’d rather put out something useful than just archive it. More posts coming soon.

- https://josephpalacios.org/posts/2026-02-19-my-first-post/ -

SSH: Concepts and Configuration

email@sample.com (Joseph) — Wed, 17 Dec 2025 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2026-03-10-ssh-setup/ -

SSH (Secure Shell) is how you remotely access another machine over a network. This is a basic overview of the concepts and commands you’ll use most often.

SSH Concepts

Public and Private Keys

SSH gives you two ways to authenticate: a password or a key pair. We’re going to use keys. They’re harder to brute force than a password and more convenient once set up, since you don’t have to type anything to log in.

The key pair has two parts.

The private key stays on your machine and never leaves it. Think of it as your actual password. Do not share it.

The public key goes on the server. It can only be used to verify that you have the matching private key. Sharing it is fine.

When you connect, the server checks if your private key matches the public key it has on file.

Public keys are stored on the server at ~/.ssh/authorized_keys. Private keys sit on your machine, usually in ~/.ssh/.

SSH Config File

Instead of typing out the full connection details every time, you can save them in ~/.ssh/config. This lets you connect with a short alias instead of a full command.

Host my-server
Hostname 192.168.1.20
User joseph
Port 22
IdentityFile ~/.ssh/my_key

After saving that, you can just run ssh my-server instead of ssh -i ~/.ssh/my_key joseph@192.168.1.20.

Common Commands

ssh

Connect to a remote machine.

ssh [USER]@[SERVER]

Modifier	Input	What it does
`-i`	path to private key	Specifies which private key to use
`-p`	port number	Connects on a specific port instead of the default 22
`-L`	`[LOCAL-PORT]:[TARGET-HOST]:[TARGET-PORT]`	Forwards a local port to a remote host through the server

ssh -i [PRIVATE-KEY] [USER]@[SERVER]
ssh -p [PORT] [USER]@[SERVER]
ssh -L [LOCAL-PORT]:[TARGET-HOST]:[TARGET-PORT] [USER]@[SERVER]

Example

For this example I want to SSH into my Linux machine at 192.168.1.20. I’m logging in as joseph, which is the local user on that machine.

The default SSH port is 22, but I changed mine to 2222, so I need to specify it with -p. I also set up key authentication, so I’m pointing to my private key with -i instead of typing a password.

ssh -i ~/.ssh/my_key -p 2222 joseph@192.168.1.20

ssh-keygen

Generate a new key pair. The output will be two files: your private key and your public key (.pub).

ssh-keygen -t [TYPE] -f [PATH] -C "[COMMENT]"

Modifier	Input	What it does
`-t`	key type	Sets the encryption type. Use `ed25519`, it’s faster and more secure than RSA
`-f`	file path	Where to save the key and what to name it
`-C`	string	A comment to identify the key later, usually your email or a description
`-b`	number	Sets the key size in bits. Only needed for RSA, ed25519 ignores this

ssh-keygen -t ed25519 -f ~/.ssh/[FILENAME] -C "[COMMENT]"
ssh-keygen -t rsa -b 4096 -f ~/.ssh/[FILENAME] -C "[COMMENT]"

Example

For this example I want to generate a new ed25519 key pair for my Linux server. I’m using -t to set the key type to ed25519. With -f I’m telling it to save the key to ~/.ssh/ and name it my_key. The -C is just a label so I know what this key is for later.

ssh-keygen -t ed25519 -f ~/.ssh/my_key -C "joseph linux server"

ssh-copy-id

Copies your public key to a server so you can log in without a password.

ssh-copy-id -i [PUBLIC-KEY] [USER]@[SERVER]

Modifier	Input	What it does
`-i`	path to public key	Specifies which public key to copy. Use the `.pub` file, not the private key
`-p`	port number	Copies to a server running SSH on a non-default port

ssh-copy-id -i [PUBLIC-KEY] [USER]@[SERVER]
ssh-copy-id -i [PUBLIC-KEY] -p [PORT] [USER]@[SERVER]

This appends your public key to ~/.ssh/authorized_keys on the server automatically.

Example

For this example I want to copy my public key to my Linux machine at 192.168.1.20 so I can log in without a password from now on.

I’m using -i to point to my public key. It has to be the .pub file — not the private key. joseph is the local user on that machine. My SSH port is set to 2222 so I also need -p to specify it.

ssh-copy-id -i ~/.ssh/my_key.pub -p 2222 joseph@192.168.1.20

scp

Copy files over SSH. Works like cp but over the network.

scp [FILE] [USER]@[SERVER]:[SERVER-DIRECTORY]

Modifier	Input	What it does
`-i`	path to private key	Specifies which private key to use
`-P`	port number	Connects on a non-default port. Note the capital P, unlike `ssh`
`-r`	none	Copies a directory recursively

# Client to server
scp [FILE] [USER]@[SERVER]:[SERVER-DIRECTORY]

# Server to client
scp [USER]@[SERVER]:[FILE] [LOCAL-DIRECTORY]

# With modifiers
scp -i [PRIVATE-KEY] -P [PORT] [FILE] [USER]@[SERVER]:[SERVER-DIRECTORY]
scp -r [DIRECTORY] [USER]@[SERVER]:[SERVER-DIRECTORY]

Example

For this example I want to copy a file from my machine to my Linux server at 192.168.1.20. I’m pointing -i to my private key for authentication. My SSH port is 2222 so I need -P to specify it. Note that scp uses a capital -P for the port, unlike ssh which uses lowercase.

scp -i ~/.ssh/my_key -P 2222 backup.tar.gz joseph@192.168.1.20:/home/joseph/backups/

For transferring large amounts of files or syncing directories, rsync is the better option. It only transfers what has changed instead of copying everything every time, which is faster and safer over an unstable connection.

rsync -avz -e "ssh -i ~/.ssh/my_key -p 2222" [DIRECTORY] [USER]@[SERVER]:[SERVER-DIRECTORY]

Additional Notes

On Debian and some other distros you may run into an issue with an unknown terminal type when trying to clear the screen or run certain commands. To fix this, just add the following to your shell config:

echo 'export TERM=xterm-256color' >> ~/.bashrc && source ~/.bashrc

- https://josephpalacios.org/posts/2026-03-10-ssh-setup/ -

How to Reflash a BIOS Chip Using a CH341A Programmer

email@sample.com (Joseph) — Wed, 29 Oct 2025 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2025-10-29-how-to-reflash-a-bios-chip/ -

Background

My coworker corrupted the BIOS on an ASUS G301QE laptop. After exhausting standard recovery methods like ASUS BIOS Flashback and battery disconnection, I proposed direct chip flashing using a CH341A programmer — a tool I previously purchased for Libreboot projects.

Requirements

CH341A USB programmer
BIOS compatibility verification for your motherboard
Flashrom application (command-line flashing utility)
Correct BIOS .bin file matching your exact motherboard model
SOIC8/SOP8 test clip
Adapter connecting CH341A to SOP8 clip
Optional: Bundle kits containing programmer, clip, and adapter together

Flashrom is standard on most Linux distributions and can be installed via package manager or built from source using Meson.

Setting Up the Programmer

Step 1: Identify Pin 1

On the SOP8 clip, pin 1 is marked by a red cable. On the programmer, look for a dot, notch, or marking indicating pin 1.

Step 2: Connect the Adapter

Connect adapter to clip first
Lift the lever on the socket
Push pins into correct positions
Pull down lever to lock everything

Step 3: Attach the Clip to the BIOS Chip

Locate the marking on the chip (dot or notch) showing pin 1’s location. Align the clip’s red cable with this pin and ensure firm contact across all pins.

Step 4: Plug in the Programmer

Insert the CH341A into a USB port. A red light should illuminate:

No light: Try a different USB port or computer
Dim red light: Possible short circuit or incorrect pin connection
Green light: Everything may be functioning correctly

Verifying Your Setup

Run flashrom to confirm installation:

flashrom

Expected output shows version information and confirmation that flashrom is installed.

Creating Verified Backups

Before writing, create two separate backups and compare their MD5 checksums to verify consistent, reliable reads:

flashrom --programmer ch341a_spi -r backupone.bin
flashrom --programmer ch341a_spi -r backuptwo.bin
md5sum backupone.bin
md5sum backuptwo.bin

Matching checksums indicate good reads and readiness to proceed. Mismatched checksums suggest clip connection issues requiring re-seating and retry.

Verifying File Sizes

Confirm that your downloaded BIOS file and backup are identical in size:

ls -l

Both files should show the exact same byte count. Size discrepancies indicate a potential wrong BIOS file — do not proceed if they don’t match.

Flashing the BIOS

flashrom --programmer ch341a_spi -w GV301QE.bin

Replace the filename with your actual BIOS file. Flashrom will erase, write, and verify the new BIOS — typically completing in 1-3 minutes. Wait for success confirmation before disconnecting anything.

Troubleshooting: File Size Mismatch

Downloaded BIOS files sometimes include headers added by manufacturers for their official flashing tools. Strip unnecessary headers using dd:

dd if=downloaded_bios.bin of=bios_no_header.bin bs=1 skip=4096

Adjust the skip value based on how many bytes larger the file is. Verify sizes match after stripping.

- https://josephpalacios.org/posts/2025-10-29-how-to-reflash-a-bios-chip/ -

Fixing Windows' Broken USB Support in BitLocker

email@sample.com (Joseph) — Thu, 16 Oct 2025 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2025-10-16-fixing-windows-usb-bitlocker/ -

I just recently started dealing with this issue and I see a lot of others doing drastic fixes like reimaging the problem PC. There’s a simple fix until Microsoft solves this. Using a recovery drive or my preferred option, Hiren’s BootCD PE ISO. If you followed my creating a multitool USB drive guide you will most likely have this ISO already.

Requirements

USB drive with Hiren’s BootCD PE installed

If you have a blank USB drive just reflash it with Rufus using the Hiren’s BootCD PE ISO. Once ready, boot into the problem PC and disable Secure Boot. Then reboot into the temporary boot screen and select the USB drive.

Video guide here

Once booted, open Command Prompt and enter the following:

# Check BitLocker status
manage-bde -status

# You'll see output like this for each drive:
# Volume C: [NAME]
# Size:
# BitLocker Version:
# Conversion Status:
# Lock Status:
# Key Protectors:

# You can also check via File Explorer — look for the lock symbol under "This PC"
# Right-click a locked drive to unlock via GUI if preferred

# Unlock the drive using your recovery key
manage-bde -unlock C: -rp "recovery-key-here"

# Turn BitLocker off completely
manage-bde -off C:

That should be it. Turn off the machine then reboot into Windows. Make sure to re-enable Secure Boot.

Backing Up Your Recovery Key

Before turning BitLocker back on, back up your recovery key:

# Check status and get the Key Protector ID
manage-bde -status C:

# Look for the "Key Protectors" section:
# Numerical Password:
# ID: {12345678-1234-1234-1234-123456789012}

# Backup to your Microsoft account (requires internet)
manage-bde -protectors -adbackup C: -id '{your-id-here}'

Turning BitLocker Back On

# Turn on BitLocker
manage-bde -on C:

# Check encryption progress
manage-bde -status C:

You can also re-enable BitLocker through Settings > Privacy & Security > Device Encryption or Control Panel > BitLocker Drive Encryption. You might get an error the first time — try again after a reboot.

- https://josephpalacios.org/posts/2025-10-16-fixing-windows-usb-bitlocker/ -

Transitioning from TrueNAS: Choosing My Next NAS OS

email@sample.com (Joseph) — Sun, 12 Oct 2025 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2025-10-12-transitioning-from-truenas/ -

I’ve decided to migrate away from TrueNAS to a custom-built solution while simultaneously fixing a problematic RAID configuration. This transition is about developing personal skills and moving beyond turnkey solutions.

Why Switch?

I value TrueNAS’s straightforward WebUI and Docker support but want greater control than the platform provides. TrueNAS remains excellent for beginners but I feel ready for a more hands-on approach. The transition also gives me a chance to fix some mistakes in my current setup.

Core Requirements

Must-haves:

Stable OS with strong hardware compatibility
RAID support with filesystem-level redundancy
Network file sharing protocols and ZFS ACLs
Docker support with active community documentation
Significantly more control than TrueNAS offers

Nice-to-haves: reduced WebUI reliance, lighter resource footprint, direct package installation, Linux/Infrastructure as Code experience.

Three Primary Candidates

Proxmox with TrueNAS VM — balanced approach, keeps TrueNAS benefits while gaining hypervisor experience. Strong community support.

Debian 12 + ZFS + Ansible — emphasizes Infrastructure as Code and Linux proficiency. Practical knowledge for DevOps career advancement.

NixOS — declarative configuration via .nix files. Cutting-edge but steeper learning curve and less portfolio relevance than Debian.

The RAID Miscalculation

I configured four 12TB drives in RAIDZ1 (4-wide), which offers only single-drive redundancy. The rebuild window spans 3-5 days, creating significant failure risk. An unrecoverable read error or second drive failure during reconstruction could result in total data loss. This stemmed from buying drives on sale without enough research.

Solution Paths

Option 1: Add one 12TB drive for 5-wide RAIDZ2 (2-drive redundancy, same 31TB usable, ~$90-110).

Option 2: Upgrade to a 6-bay chassis with two additional drives for 6-wide RAIDZ2 (2-drive redundancy, 42TB usable, ~$330-470).

Currently running SMART tests and backing up critical data while I decide. Planning to implement the fix during the OS migration.

- https://josephpalacios.org/posts/2025-10-12-transitioning-from-truenas/ -

Finally Moving Away from Cloudflare Tunnel to an Open-Source Alternative

email@sample.com (Joseph) — Mon, 11 Aug 2025 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2025-08-11-cloudflare-tunnel-to-pangolin/ -

Hello, I just switched my Cloudflare Tunnel container for an open-source alternative, Newt (Pangolin), on my home lab. They are both special reverse proxies that use a secure tunnel to expose your internal services to the internet.

There are a lot of benefits to setting up Pangolin, but it comes with a cost and requires more setup. The biggest drawback is the cost of purchasing a VPS, compared to Cloudflare Tunnel, where you just need to have a domain name.

The setup isn’t bad at all, and I found an amazing guide from Jeremy that made it incredibly simple. So while this won’t be a setup guide, I did want to bring more attention to this project. It’s everything you could love about an open-source project: better performance and better security. While Pangolin itself is amazing, using a cloud service provider comes with inherent risks.

Key Differences

Let’s consider the key differences between Cloudflare Tunnel and Pangolin (Newt):

- https://josephpalacios.org/posts/2025-08-11-cloudflare-tunnel-to-pangolin/ -

Creating a Multitool USB Drive

email@sample.com (Joseph) — Mon, 28 Jul 2025 00:00:00 +0000

Joseph Palacios https://josephpalacios.org/posts/2025-07-28-creating-a-multitool-usb-drive/ -

I want to start carrying around a USB drive filled with all the tools I may need. Before, I carried a couple of USB drives — one for imaging and one for storage/tools. Having everything on one drive would be a lifesaver. I could see myself using a GParted ISO to resize partitions or opening notes with portable apps. I’m going to use Windows for this one, but you can follow along on Linux if you know your way around.

Ventoy creates multiboot USBs by copying ISOs directly and auto-generating a boot menu. PortableApps runs apps from a USB without installation, with a menu for easy organization on any PC.

Wiping the USB Drive

If you’re using a clean or new USB drive you can skip this step. For a used drive with existing partitions, open Terminal as admin (WIN + X, then A) and run:

diskpart
list disk
select disk 3 # replace 3 with your drive number — double check before continuing
clean

Common issues if clean fails:

No admin privileges — DiskPart requires elevated access
Drive in use — close File Explorer and any open files on the drive
Write protection — the USB may be set to read-only
Corrupted drive — antivirus or faulty hardware can interfere

Downloads

Building the USB Drive

Run the Ventoy installer:

Open Ventoy — select your drive from the dropdown
Click Options → Partition Style → choose GPT
Options again → Partition Configuration → toggle Preserve some space at the end of the disk → enter the amount you want for tools → OK
Confirm the storage shown next to “Device” then click Install

Now convert the reserved space into a second partition using Disk Management (WIN + X, K):

Find your Ventoy disk, right-click the unallocated space → New Simple Volume
Use the remaining storage for size
Assign a drive letter
Format as exFAT, name it Tools → Finish

Now install PortableApps:

Run the PortableApps EXE
On “Install Type” select New Install
Select Portable – Install to a portable device
Choose the Tools partition you just created
Click Install

Wrap Up

Drop your ISOs into the Ventoy partition and boot into the menu to start imaging or access tools like GParted. PortableApps will launch on startup with its app store where you can find most tools you need. For anything else, Reddit or the PortableApps development forums are a good resource.

- https://josephpalacios.org/posts/2025-07-28-creating-a-multitool-usb-drive/ -

Joseph Palacios

Wazuh Home Lab Setup with Docker

Prerequisites

1. Fix Docker Repo Duplicate (if needed)

2. Set Kernel Parameter

3. Clone the Repo

4. Generate Certificates

5. Start Wazuh

Changing the Default Password

Admin (Dashboard) Password

API User (wazuh-wui) Password

Deploying a Windows Agent

Troubleshooting

My Home Network

Topology Overview

Switches

Access Points

VLANs

What I Learned

How I Passed Cisco CCNA

Passing the CCNA

Taking the test

Studying tips

Goodbye WordPress, Hello Hugo

How I Built It

What’s Next

SSH: Concepts and Configuration

SSH Concepts

Public and Private Keys

SSH Config File

Common Commands

ssh

Example

ssh-keygen

Example

ssh-copy-id

Example

scp

Example

Additional Notes

How to Reflash a BIOS Chip Using a CH341A Programmer

Background

Requirements

Setting Up the Programmer

Step 1: Identify Pin 1

Step 2: Connect the Adapter

Step 3: Attach the Clip to the BIOS Chip

Step 4: Plug in the Programmer

Verifying Your Setup

Creating Verified Backups

Verifying File Sizes

Flashing the BIOS

Troubleshooting: File Size Mismatch

Fixing Windows' Broken USB Support in BitLocker

Requirements

Backing Up Your Recovery Key

Turning BitLocker Back On

Transitioning from TrueNAS: Choosing My Next NAS OS

Why Switch?

Core Requirements

Three Primary Candidates

The RAID Miscalculation

Solution Paths

Finally Moving Away from Cloudflare Tunnel to an Open-Source Alternative

Key Differences

Creating a Multitool USB Drive

Wiping the USB Drive

Downloads

Building the USB Drive

Wrap Up

API User (`wazuh-wui`) Password