Language:
switch to room list switch to menu My folders
Go to page: First ... 22 23 24 25 [26] 27 28 29 30
[#] Wed Jun 29 2022 12:01:44 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

DNSSEC has to do with digital signing of the records for authenticity and accuracy and such. DoH secures the transport itself. You can use them together.

[#] Sun Jul 17 2022 18:34:13 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

This could go in a variety of rooms.  

Got an AD today fro Amazon. Its a box to block radio signal so you can "use your router in safety"..

Um, if you are that concerned, turn off WiFi?



[#] Mon Sep 12 2022 13:51:27 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Great..  Seems this weekend they move ALL our DNS records to be proxied by cloud flare. Even externally hosted apps.  we were told it was changing to transparent logging so was not expecting this..  They even moved department's stuff that didnt yet approve of being moved.

Explains why my stuff is slower today than normal. My test system timed out while doing some testing ( unrelated to CF ).. got a cloud flare message.   "oh crap.. no... they didnt...."



[#] Wed Sep 28 2022 16:34:12 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]


I'm not using a CDN, but my web properties (including this site) are really distributed now.

* The front end to the clearnet is at provider A
* The front end to the darknet is at provider B
* And the origin servers are at provider C ... no way in except through VPN from one of the front end sites

My objective is to keep the location of the origin servers both concealed and protected.

I suppose you could also consider my home network to be location D, which also has a VPN straight into the origin servers, bypassing both the clearnet and darknet front ends.

[#] Wed Sep 28 2022 19:39:24 EDT from Greg Nesbitt

[Reply] [ReplyQuoted] [Headers] [Print]

My objective is to keep the location of the origin servers both
concealed and protected.

Interesting architecture. With the added advantage that if one of the front ends is attacked, it's relatively easy to bring up a replacement frontend at provider D and repoint the DNS on the fly with no need to fiddle with the origin servers.

At work we've been doing a lot with haproxy in a similar vein, more for redundancy than security.

[#] Thu Sep 29 2022 12:24:28 EDT from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]


That's Origin Cloaking and it's a common approach to DDoS protection but it isn't enough on its own.

[#] Thu Sep 29 2022 15:05:37 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Right. And that's fine, because my primary objective is not to protect the site from DDoS, but instead to protect the location where the origin servers are hosted. The front end VPN is capped at 5 Mbps and the IP addresses belong to the front end provider.

If I get attacked, the sites will go down. If the front end provider cancels my account because of DDoS or because of political pressure, I can set up the front end somewhere else, and the origin servers can stay where they are.

I've spoken before about why I am more interested in protecting the origin DC than in protecting the sites so I won't get into that again.

[#] Sat Nov 05 2022 16:31:17 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

"nginx proxy manager"   Ran across this earlier this week and tried it out today. For someone who struggled getting config files to work right in 'raw' nginx, this is wonderful.

Within 5 minutes i had it installed, ( not including time to setup a vm +docker )  and 3 of my hosts setup. 2 now have ssl via the proxy, the 3rd is pass-thru ssl as the host had its own.

even tho i'm not fond of docker anything, I think i will retire my Apache proxy... 



[#] Mon Dec 05 2022 08:52:08 EST from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

So one of cloud flare's services is to block TOR access.  Since TOR exit-points can be any PC on the planet, how do they know? 

It does work, just not sure how it could, at least completely.



[#] Wed Dec 07 2022 14:03:59 EST from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2022-12-05 08:52 from Nurb432
So one of cloud flare's services is to block TOR access.  Since TOR

exit-points can be any PC on the planet, how do they know? 

It does work, just not sure how it could, at least completely.


The addresses of Tor exit nodes are public knowledge. There are very few secret Tor Nodes. Most are registered in the open and you can actually download the lists of registered nodes at any given time.

The issue I have with Tor is that, by its very nature, it makes the network easy to abuse and so mucy people end up blocking it. I like I2P because it does not let itself be used to piss other people.

[#] Wed Dec 07 2022 14:10:07 EST from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Hmm i thought it was more random and variable than that.

 

That is too bad.



[#] Wed Dec 07 2022 14:45:15 EST from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2022-12-07 14:10 from Nurb432
Hmm i thought it was more random and variable than that.

 

That is too bad.


Tor exit nodes are not designed to be block-resistent. Some guard nodes are (and those are the actually secret nodes).

[#] Sat Dec 17 2022 14:54:08 EST from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Yeah. If you're serious about providing a service for the darknet, you put it ON the darknet. Join directly to I2P, Tor, Yggdrasil ... you have to assume that all exit nodes are being operated by Gestapo (formerly known as FBI) and every connection is logged and monitored.

[#] Sat Jan 14 2023 13:00:33 EST from IGnatius T Foobar

Subject: Netmaker -- an open source alternative to TailScale

[Reply] [ReplyQuoted] [Headers] [Print]

I found this interesting:

https://lnkd.in/eUw4nckY

NetMaker is, although they won't call it this, basically an open source version of TailScale. This was inevitable because TailScale was a great idea but real network administrators don't want to enslave their network to a proprietary technology any more than they want to read inspirational quotes on LinkedIn.

So basically you run the little client on every machine and it forms a full mesh on its own, while at the same time doing all of the things WireGuard is good at -- punching through firewalls, handling address changes, not being IPSEC, etc.

There's a company behind it offering a premium version but the core code is open source and it looks pretty usable. I'm going to give it a try.



[#] Sun Jan 15 2023 05:40:08 EST from darknetuser

Subject: Re: Netmaker -- an open source alternative to TailScale

[Reply] [ReplyQuoted] [Headers] [Print]

NetMaker is, although they won't call it this, basically an open
source version of TailScale. This was inevitable because TailScale
was a great idea but real network administrators don't want to
enslave their network to a proprietary technology any more than they

want to read inspirational quotes on LinkedIn.


Thanks for the link. It looks interesting.

The link you shared cannot be accessed from here so I just visited the main website of the project. I must say that I hate modern website design when it comes to hosting software products. The UX crowd masturbates so hard with them I feel the need to wash my hands after visiting them.

[#] Sun Jan 15 2023 08:07:26 EST from Nurb432

Subject: Re: Netmaker -- an open source alternative to TailScale

[Reply] [ReplyQuoted] [Headers] [Print]

Justification of existence.

And the constant change.. pisses me off greatly.  Make it work, leave it the F- alone.

Sun Jan 15 2023 05:40:08 AM EST from darknetuser Subject: Re: Netmaker -- an open source alternative to TailScale
The link you shared cannot be accessed from here so I just visited the main website of the project. I must say that I hate modern website design when it comes to hosting software products. The UX crowd masturbates so hard with them I feel the need to wash my hands after visiting them.

 



[#] Tue Jan 17 2023 13:14:18 EST from IGnatius T Foobar

Subject: Re: Netmaker -- an open source alternative to TailScale

[Reply] [ReplyQuoted] [Headers] [Print]

Sorry, I apparently posted an exit link from Business Facebook (LinkedIn).
The real link is:

https://www.netmaker.io

Meshed Wireguard is so obvious at this point that I think it's obvious Netmaker will either put TailScale out of business or force them to make their core product available as open source.

I want to see more Wireguard, more everywhere. IPSEC needs to go the way of Apache and Sendmail. I was over-the-moon delighted when Mikrotik added Wireguard support in RouterOS 7. Now my home network is connected to my hosting network, and my hosting network spans two sites, and everything is so happy.

[#] Tue Jan 17 2023 13:22:00 EST from Nurb432

Subject: Re: Netmaker -- an open source alternative to TailScale

[Reply] [ReplyQuoted] [Headers] [Print]

lol. paranoid me did a search and didnt hit the link so never noticed.  Not that i dont trust YOU, but its habit.



[#] Tue Mar 28 2023 23:33:18 EDT from IGnatius T Foobar

Subject: Re: Netmaker -- an open source alternative to TailScale

[Reply] [ReplyQuoted] [Headers] [Print]

That's fine, either way you found out about it.

Unfortunately I can't run TailScale because my Wireguard network has endpoints that can't run the client. One is a NAT64 gateway in the R&D lab at work that I am better off not messing with. Another is my Mikrotik router at home, which despite having a real kernel cannot run arbitrary programs.

That probably misses the point, though. I think you're not really supposed to run TailScale on the network edge; you're supposed to just run it on every workstation and server in your organization and you let it figure out the topology for you.

I should just turn on BGP and run a route server. But I guess there's the small matter of knowing the public key and UDP port of each endpoint. Ooooh, I know! I'll create my own BGP address family :)

[#] Mon Aug 21 2023 09:07:20 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Neat

Site to site VPN ( from us to azure cloud ). As of about 5 am some traffic started being blocked. but not all..   in both directions.  And not just hard stops, some ports work, some IPs work, some dont. its not consistent.  

And of course both sides are pointing their fingers at the other side and we are getting nowhere.. 



Go to page: First ... 22 23 24 25 [26] 27 28 29 30