• 1 Post
  • 32 Comments
Joined 3 years ago
cake
Cake day: June 15th, 2023

help-circle

  • lemmyvore@feddit.nltoSelfhosted@lemmy.worldThoughts on crowdsec
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    5 days ago

    Yes, and also by trying common subdomains under the main domain (like jellyfin., home. etc.) (They also scan the entire IPv4 address space, all TCP ports, over and over, but that’s a different discussion.)

    If you’re using DDNS you have to also be careful where you put the A and AAAA records. Some people put them on the main domain and then do a wildcard CNAME pointing to it for all the subdomains, or individual subdomain CNAMEs. But since the main domain is known from TLS cert logs it’s trivial for bots to also check to see if there’s A/AAAA records on it.

    It’s better to put the A/AAAA on a dedicated subdomain, obfuscate the name beyond trivial guesses (eg. maybe don’t use ip.), and make an individual CNAME for each services that points to the IP subdomain, and obfuscate those service subdomains similarly.

    For those who aren’t familiar with DNS, the information in it is publicly available to anybody who can name a [sub]domain and record type explicitly, but they refuse to do “list all the records for all the subdomains of this domain”. So bots are limited to asking for the most commonly used record types on the main domain but can’t get to records on subdomain names unless they can name the subdomain. (For completion, asking for a list of all records is possible, but nowadays due to abuse that function is restricted on all the public servers to just the known IPs of their fellow redundant servers.)

    A similar limitation applies to reverse proxies, bots can’t get to a service behind it unless they can correctly name the FQDN that the proxy uses for that service. (But please note that a reverse proxy works independently of DNS. If the proxy has foo.example.com defined to reach a service, it will work even if that domain isn’t in DNS or doesn’t exist.)

    Even after taking these measures you have to keep in mind that this is not security, it’s obscurity. It cuts down on bot scans which is great but don’t assume it means nobody knows your service domains. Your ISP probably knows them, there are DNS servers out there that know them, your mobile carrier can see them, and if you ever connect to WiFi when away from home the owners of those WiFi can see them (think hotels, airports, coffee shops etc.) It’s not out of the question for a coffee shop WiFi to have been compromised and to collect URLs and attempt attacks against them. Use VPN or a SSH tunnel to connect to services whenever possible, rather than exposing them publicly, and if you must expose them publicly then use mTLS or at the very least a custom header key.


  • In the Yggdrasil network any node can act as relay for other nodes. So you can get to unreachable nodes via reachable nodes, as long as there’s a possible path through the network graph.

    The community also maintains a few nodes with static public addresses, specifically so they can be used as entry points into the network.

    Each node has two addresses, one used for communications inside the network and one used for peering. The inner address is IPv6 allocated randomly from the reserved 0200::/7 range and never changes (unless you wipe and re-configure the node). The peering address needs to be public and static, yes, but can be either IPv4 or IPv6 fwiw.

    You only need to peer with one such public and static address to be able to reach other nodes, as long as there’s a path to them among all the peers in the graph. If you’re taking advantage of the larger Yggdrasil network that is taken care of by the public community nodes. If you want to set up your own separate network then you need to set up at least one node with a public static address. But you can also use a domain name and do DDNS for example.


  • If you’re using ipv6 supposedly you don’t need to forward ports.

    You don’t need to forward ports but you still need to maintain network rules for each port so you can get through the firewall. And those rules need to know IPs. And if your public IPv6 prefix changes you need to update the rules.

    So, really, there’s no advantage over forwarding, on the contrary, since forwarding uses private IPs which you can make static so they never change.

    Some router software like OpenWRT attempts to work around this issue by using a special “minus netmask” shorthand syntax for the network rules, for example ::2/-64 means you want to reach [whatever the dynamic prefix is right now]::2. Which assumes you’ve set things up so that a certain machine always gets static suffix ::2, which means that machine does not do MAC anonymization and can use DHCPv6, which excludes all Android and iOS devices. So it can be used with Linux servers for example but with a lot of caveats.



  • It’s a mesh VPN using exclusively IPv6 addresses in the reserved 0200::/7 range.

    By default a new node connects to nothing. You add other nodes explicitly, typically they’d be your own devices, but the network also maintains a few public nodes that are used to facilitate communications across the entire Yggdrasil network.

    When a node is connected it raises a tunnel network interface and routes 0200::/7 through it. With the usual caveats (it will pick up any service that binds to all interfaces etc.)

    Each node can act as relay to reach nodes that aren’t directly connected – the network will compute the shortest path in that case – and this can be used to reach nodes behind CGNAT as long as there’s a path that contains at least one publicly reachable node.

    All connections are end-to-end encrypted with the keys of the two end-nodes involved in it, so the relay nodes cannot eavesdrop.

    That’s about it. Anything else (DNS, routing, firewalls) is the responsibility of each node.






  • Yes. If a TLD has the so called “premium domains” feature then it can unilaterally decide that certain domains are worth more, based on their popularity. Then they’ll ask you to pay tens, hundreds or even thousands at renewal time, and if you can’t pay they will auction it away.

    This isn’t something that registrars do, this is something that the entity that manages the TLD itself is doing.

    For TLD’s without “premium domains” the TLD sets a single base price for all their domains. Registrars can demand more but there’s competition so someone will always sell it for closer to the base price, and if they change their price at renewal you can transfer to a different registrar.

    You can’t do this with a premium TLD once they’re targeted your domain because the TLD forces all registrars to raise the price for your specific domain.

    Bottom line, never buy from a TLD with premium domains.



  • With WordPress (or any CMS) keep in mind that if you don’t really need visitor-facing dynamic features (like comments), then you can self-host the admin and content editing completely privately, and only export a static “dump” of the finished website pages as plain HTML/CSS/JS and images.

    You can serve these static files fairly efficiently yourself with a small HTTP server, or upload to a CDN service which will take care of things like redundancy, availability, replicated content for faster access from certain geographic areas, you won’t care about denial of service or bots etc.

    Meanwhile your CMS software is completely isolated from break-ins or drive-by bot attacks. As a perk, you can experiment with different CMS freely without fundamentally changing your approach, because they all produce static files one way or another. You can try for example Hugo, or a fediverse-enabled microblogging app like Pleroma, Misskey or even Mastodon.



  • Please note that to use “bcrypt” for htpasswd_encryption you need the bcrypt python module installed. Some distributions of radicale (eg. some docker images) don’t have it.

    It’s fairly safe to set it to “md5” instead. It does not mean plain MD5 (one iteration), it does several hundred rounds of MD5 plus a salt.

    For the curious, the advantage of bcrypt over a single-iteration, fast hash like MD5 is that bcrypt lets you set the hashing effort, while MD5’s goal is to do it as fast as possible.

    This becomes relevant when someone steals your password file and tries to brute force it by hashing a bunch of dictionary words and random strings (plus a bunch of salts) until something matches. A fast single-iteration hash like MD5 will let them do that much faster than a bcrypt hash set to a higher effort; it can mean the difference between finding a password in one week vs finding one in 100 years. That’s what the hundreds-of-iterations MD5 is trying to achieve, it’s a “poor man’s bcrypt”.


  • Add mTLS to the reverse proxy and to the Immich client app and forbid access without it.

    The mTLS certs can be self-generated. There are tutorials for generating your own CA and individual mTLS certs for each device. Then you put the ca.pem file in a place accessable by NPM and add a couple of commands to the “Advanced” tab of the Immich proxy host, and you put the mTLS cert on the phone and load it into the Immich app.

    mTLS is a super strong method, not only does it serve as great authentication for that particular device, it also checks the TLS connection for tampering so it can’t be hijacked even if somehow you get rogue certificates loaded on your phone, you can revoke certs if your phone gets lost or stolen etc.




  • InfCloud is the last and only functional, standalone, web-based CalDAV frontend currently in existence. It doesn’t really matter how crap it is because there’s no alternative. And besides CalDAV/CardDAV are not exactly rapidly-evolving anymore.

    There are a handful of alternative frontends bundled with other webapps, for example Nextcloud includes one, but if you don’t want to install Nextcloud just for that you’re stuck with InfCloud.

    I really wish someone would make a modern standalone webapp for this but no luck so far.

    Having worked at some point on some calendar interfaces I can appreciate why, because they’re super intricate and difficult.