"can" but i woudl rather have it on a fat VM.
im still old school and not really ready to accept containers and by the time i have to, it wont matter anymore. Tho i guess i was an early adopter of the concept of VM back in the 90s, in effect. I realize is the same tech underneath, but same idea at least. On my ST i ran PCDitto and Spectre for mac ( i had access to a dead mac so i was able to get legit roms )
Sat May 08 2021 01:42:58 PM EDT from IGnatius T FoobarYou can run the database in a container too, as long as you have a way of keeping its data somewhere other than the container's writable layer. For example, I maintain a system where a bunch of applications in containers connect to a MariaDB instance running in another container, but that container has /var/lib/mysql mounted as a persistent volume. I can upgrade the MariaDB container at any time (yes, with an outage) and keep the data.
The clouderati expect you to connect to "their" database-as-a-service, which will have clustering and load balancing. They probably still run it in containers.
Never mind, i give up and will try something else. It looks like the configuration format changed recently and even the man page refers to the old format.
It seemed simple enough with the old config format. But now its changed, and i see zero actual documentation the new way and anything i have tried pisses it off. So its a hard stop. Too bad too.
Sat May 08 2021 05:23:25 PM EDT from Nurb432So anyone used "pound" as a reverse proxy?
So its back to tiny proxy which was actually working. Surprisingly i was right on just needing to setup some upstream settings to fake it into thinking they are upstream proxies. Problem was citadel was not talking back, so i just assumed it was forgetting something and it was just broke and wasted a lot of time. So tried it with a couple of other web servers running they all worked.
Got some errors on start on the citadel server too about ports being locked, which makes no sense as i installed *nothing* else. I think ill just start over as i know it worked the past with this setup.
Also need to redo my proxy server, clean it up from the failed attempt with pound. and switch it all over to port 80.
Ok. That makes sense. I agree with the single point of failure. It seems like a lot of risk, and a lot of effort, just to be able to tell Chinese subnets to go fluck themselves... especially when it won't prevent domestic attacks anyhow.
It is so simply built into Synology NAS solutions... it is too bad that Proxmox doesn't have a feature as sophisticated. Fortinet does - and I've got a friend who used to be able to set up blazing Fortinet deals... but - again... more hardware, SPOF... etc...
I guess I'll just keep letting them hit SSH with root every couple of minutes for as long as I keep the BBS up.
fail2ban helps with the script kiddies.
However, i have run into a problem that i didnt have in the past when i was running tinyproxy. After a bunch of open connections it sort of gets lost and does not really hard fail, but quits working. Only a reboot fixes it ( not even a service restart ) i upped the limits, and dropped the timeout , but i'm sill getting flooded with connections, and they are not closing their session, so it builds up, fast. It seems they are from random IPs so fail2ban isn't blocking them first. I guess things have got worse over the years in the volume of constant attacks ( might also be partly due to me being on a different ISP now with far more bandwidth. I was on Comcast back then, now its a fiber company ). Even before it dies, it starts slowing down due to the hammering.
This most likely was causing the problems i thought i was having before that caused me to look for something else ( ended up with pound ). i was sure it was just me and i had it mis-configured due to poor memory of what i did last time, and then after that thinking citadel wasn't responding. Pretty sure now it was just due to me being hammered to death.
For the time being i shut it down, i may end up having to run on odd ports after its all said and done. Not that its a fix for the attacks, but if i dedicate various ports to each app ( what i was trying to avoid ) at least things will work.
Frustrating.
I was at a Defcon a few years back and saw a seminar where they were talking about the challenge with port-scanning was that it was really slow on a global scale. It would take forever to go through and scan all open ports on all public IP addresses around the globe. The presenters had developed some new solution that could scan the entire globe in a matter of hours... and they were demonstrating how they were finding back-door portals to things like internal police booking systems that were not password protected - "unpublished" sites that were relying on just having IP addresses instead of URLs for their "security".
I can't remember all the details - but I would assume that an increase in volume has come from white-hats doing these kind of scans, but also black-hats getting the technology and using it as well.
Combined with increasing numbers of script-kiddies just hammering on any open port on any public address the old fashioned way - it is rush hour on the dogs sniffing your IP address to see what might be vulnerable.
Tue May 11 2021 09:03:21 EDT from Nurb432fail2ban helps with the script kiddies.
However, i have run into a problem that i didnt have in the past when i was running tinyproxy. After a bunch of open connections it sort of gets lost and does not really hard fail, but quits working. Only a reboot fixes it ( not even a service restart ) i upped the limits, and dropped the timeout , but i'm sill getting flooded with connections, and they are not closing their session, so it builds up, fast. It seems they are from random IPs so fail2ban isn't blocking them first. I guess things have got worse over the years in the volume of constant attacks ( might also be partly due to me being on a different ISP now with far more bandwidth. I was on Comcast back then, now its a fiber company ). Even before it dies, it starts slowing down due to the hammering.
This most likely was causing the problems i thought i was having before that caused me to look for something else ( ended up with pound ). i was sure it was just me and i had it mis-configured due to poor memory of what i did last time, and then after that thinking citadel wasn't responding. Pretty sure now it was just due to me being hammered to death.
For the time being i shut it down, i may end up having to run on odd ports after its all said and done. Not that its a fix for the attacks, but if i dedicate various ports to each app ( what i was trying to avoid ) at least things will work.
Frustrating.
I have copy/paste turned off .. And our VPN is no longer multi homed, so when its on, its really off my network.
By that do you mean that it is not running in a split tunnel configuration? That's pretty typical these days. And it's a good idea ... until you need to send something to your network printer at home.
in the old days the routing was split so you still could do things like that. Back then we also would run it on our personal computers and few of us had laptops. So anything that didnt need an office IP went out your own line, like messaging, gmail, printing, whatever. Mostly for work we just would RDP back to our desktops, or a server. They all had the apps we needed, not our home device.
Once that was taken away most everything you would want to do, like check your personal mail, quit due to firewall rules on the office side. I moved to a minimal VM the next day, dedicated to VPN+RDP. Tho i did have both laptop and desktop, my laptop at the time was mostly for presentations when i would visit clients it dint have the horsepower to do my real work. That changed 2 or 3 years ago for me, but i still didnt carry it home on a regular basis.
Now its either a shop VM like i do or an actual 2nd device since nearly everyone got a laptop that didnt already have one when we were all sent home last year. Now even people that come into the office, keep their laptop, and are told they must take it home every evening. "just in case of disaster". That was being floated even before the virus forced the issue. We had a flood in a floor below us, took out every desktop "see you cant rely on RDP".. which i guess is true, when you dont have a VDI infrastructure to handle 1000s of people at once..
Of course now more ( most ) of our apps are web based, and externally accessable.. not all, but most. A lot has changed over the years. Some dont need anything other than a browser. ( im close, still a couple of fat clients left for me )
Perhaps multi homed isn't the correct term, but its what we always called it.
Tue May 11 2021 07:53:17 PM EDT from IGnatius T Foobar
I have copy/paste turned off .. And our VPN is no longer multi homed, so when its on, its really off my network.
By that do you mean that it is not running in a split tunnel configuration? That's pretty typical these days. And it's a good idea ... until you need to send something to your network printer at home.
Multihomed usually refers to a device having two (or more) physical NICs, each on a separate subnet. Sometimes you would use a multi-homed machine to make certain things accessible outside, certain things inside. Other times you would use a second NIC as a heartbeat or maintenance network (for example, running large backups on the second nic isolating that backup traffic from the main network)...
Tue May 11 2021 20:15:57 EDT from Nurb432
Perhaps multi homed isn't the correct term, but its what we always called it.
Tue May 11 2021 07:53:17 PM EDT from IGnatius T Foobar
I have copy/paste turned off .. And our VPN is no longer multi homed, so when its on, its really off my network.
By that do you mean that it is not running in a split tunnel configuration? That's pretty typical these days. And it's a good idea ... until you need to send something to your network printer at home.
Any port on any address will be scanned, constantly and hard, by black hat scumbags, mostly from China (but occasionally going through proxies elsewhere made out of machines they've taken control of). This is true regardless of what hardware and software you are running. It's just a fact of life right now.
There are some tricks I've employed over the years that seem to work pretty well.
One is to set up an account with a very obvious username, like "admin" or "oracle" or "guest" or even "root" if you're able to use it, and the password should be the same as the username. The moment that account is authenticated successfully, the system should block the connecting IP address. That slows them down for a while. You might call this a slightly modified honeypot strategy.
Another is to slow down the rate at which they are able to establish new SSH connections. For example, the following iptables rules will block an IP address if it attempts more than three connections within 60 seconds:
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Eventually though, you just learn to live with it.
Right, but if i split my ports up, then my reverse proxy isn't there to die due to the load. Yes i could find another. but at this point its not worth the trouble.
Sat May 15 2021 02:26:44 PM EDT from IGnatius T Foobar
Any port on any address will be scanned, constantly and hard, by black hat scumbags,
Speaking of all this. i think its time for me to setup my guacamole to 2FA, or take it offline to the outside. Any more its turned off since i work from home now, but that will change eventually.
Unsure how 'safe' openvpn is with keypairs. I guess safe enough?
Hell, why not "root/root" with it instantly dumping a *terrible* Windows virus back on them when they connect? I'm sure you could do that.
And imagine how many script kiddies you could take out in a day. Leave .txt message on their freshly formatted C: Drive. "Next time, I run your credit until you're 80, asshole."
You're too nice.
Sat May 15 2021 14:26:44 EDT from IGnatius T Foobar
Any port on any address will be scanned, constantly and hard, by black hat scumbags, mostly from China (but occasionally going through proxies elsewhere made out of machines they've taken control of). This is true regardless of what hardware and software you are running. It's just a fact of life right now.
There are some tricks I've employed over the years that seem to work pretty well.
One is to set up an account with a very obvious username, like "admin" or "oracle" or "guest" or even "root" if you're able to use it, and the password should be the same as the username. The moment that account is authenticated successfully, the system should block the connecting IP address. That slows them down for a while. You might call this a slightly modified honeypot strategy.
Another is to slow down the rate at which they are able to establish new SSH connections. For example, the following iptables rules will block an IP address if it attempts more than three connections within 60 seconds:
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Eventually though, you just learn to live with it.
The thing about randomly knocking on doors is - you never know who might answer.
Sat May 15 2021 22:16:33 EDT from ParanoidDelusions
You're too nice.
"Account Authenticated, the SSH key of the machine you are connecting to does not match the one stored on this machine. Click YES to accept the new SSH key."
"Congratulations N00b - you're infected. pWn3d."
Sat May 15 2021 22:17:39 EDT from ParanoidDelusionsThe thing about randomly knocking on doors is - you never know who might answer.
Sat May 15 2021 22:16:33 EDT from ParanoidDelusions
You're too nice.
As a matter of fact, can we get something like this as an opt-in feature with the easy-install?
"Proactive Security? Y/N?"
Sat May 15 2021 22:19:07 EDT from ParanoidDelusions"Account Authenticated, the SSH key of the machine you are connecting to does not match the one stored on this machine. Click YES to accept the new SSH key."
"Congratulations N00b - you're infected. pWn3d."
Sat May 15 2021 22:17:39 EDT from ParanoidDelusionsThe thing about randomly knocking on doors is - you never know who might answer.
Sat May 15 2021 22:16:33 EDT from ParanoidDelusions
You're too nice.
You're too nice.
Just lazy. I could be a lethal digital vigilante if I wanted to spend the time. I am satisfied enough by offering my sister to every madarchod who calls to sell me an extended warranty on my car or credit card services.
Let 'em make noise at my door. They won't get in. There are only a few SSH accounts and they have good passwords. It's even more fun to watch the HTTP logs. They're constantly trying every PHP vulnerability in the book.
Correct. A multihomed host sits on two or more networks.
Our VPN is non-split-tunnel; when you're connected, you can ONLY make connections to the corporate network. This both sucks and blows if you want to print something and your computer isn't within USB distance of your printer. I have to print over the Internet back to my home printer, using a port I opened on the firewall to permit print jobs to connect from the address I know the VPN site will go back out on.