Please wait...
Ya, not worth the effort or pain you will receive.
A few bucks to a hosting provider, done. Yes i know this was about zero trust... but in this day and age, 90% trust is good enough i think. Most providers would be destroyed if they got caught doing bad stuff.
Thu Jan 19 2023 06:54:15 PM EST from IGnatius T FoobarRight. It is very much true, you're not going to be able to reliably run email from a residential Internet connection like the lazy dweeb in the article tried to do.
2023-01-19 19:01 from Nurb432
Ya, not worth the effort or pain you will receive.
I think it is worth doing, if only for the learning experience. It also lets you write down in your CV that you have mastered your Postfix/OpenSMTPD/Dovecot kung-fu.
Be sure to buy a bottle of migraine tablets.
:)
Fri Jan 20 2023 06:48:28 AM EST from darknetuser2023-01-19 19:01 from Nurb432
Ya, not worth the effort or pain you will receive.
I think it is worth doing, if only for the learning experience. It also lets you write down in your CV that you have mastered your Postfix/OpenSMTPD/Dovecot kung-fu.
also lets you write down in your CV that you have mastered your
Postfix/OpenSMTPD/Dovecot kung-fu.
Your what now? :)
And i do wish i had 20 or 30k laying around that i didnt care about, to buy a couple of bigger GPUs.. Make things much faster. And could load larger datasets.
This could be network room material too. but security concerns is prompting this :) ( even rants or bottom feeders as these scumbags need beat with a bat )
So this week been getting hammered hard from script kiddies. More than normal. One now is hitting my nextcloud url ( i have Ngnix on the outside ) and flooding it with enough bad logins that the NC server is now blocking my proxy IP ( since it has no way to know where this stuff is really coming from and all it sees is my internal proxy address ). Other ports being hit too as expected, but no effect as they were not open. But due to NC being offline in effect, last night i just shut all port mapping down and threw in the towel.
I'm thinking of just leaving my web services offline except on demand. But i would like to leave my OpenVPN server alive so i can still access my crap from the office or something.
It is on the standard port, but sniffers could find it on an odd port so i figured why bother.
In the bigger picture, how safe is this? You need a file to be able to connect, so its not like you can just randomly send id/passwords. Sure, i still run a DoS risk even with nothing exposed, but what about the basic risk of publishing that way in?
I guess i could add a login on the NGNIX side ( i did that for my AI chat bot when i published it to play with at work ), but it still gives them an active port with a 'real' login to beat on.
And unrelated to the actual question, Interesting thing was that it was coming from various ports on their end but was hitting 80 on my end to hit the NC URL.. is that new or have i never noticed? I have of course seen the random port to port scan, but not in this way where it does not match. ( but i admit i dont keep up on this stuff. )
In the bigger picture, how safe is this? You need a file to be able
to connect, so its not like you can just randomly send
id/passwords. Sure, i still run a DoS risk even with nothing
exposed, but what about the basic risk of publishing that way in?
It should be safe enough. I'd personally blacklist a good chunk of the internet from accessing my VPN ports anyway. If you connect mostly from one or two offices you may actually whitelist those IPs and set everything else default-deny.
Poorman's way of accesing internal web services that are behind a firewall is to have a proxy inside and use ssh forwarding to access said proxy. ssh has enough tools for blocking bruteforcers as it is and should be easy enough to defend. That is my approach for my personal stuff.
Poorman's way of accesing internal web services that are behind a
firewall is to have a proxy inside and use ssh forwarding to access
said proxy. ssh has enough tools for blocking bruteforcers as it is and
should be easy enough to defend. That is my approach for my personal
stuff.
This is how I do stuff, so consider me a poor man. I have ssh tunnels in my configs for accessing all kinds of things.
The office, that would work, but not from my phone.
Mon May 08 2023 04:57:50 PM EDT from darknetuserIf you connect mostly from one or two offices you may actually whitelist those IPs and set everything else default-deny.
In the past i did just this. But, ran into 2 things
1 - i was not using key-pairs and just a login, so it was sort of the same risk
2 - OpenVPN was transparent to all apps once connected.. and automatically did key-pairs so i didnt have to f with that myself for SSH.
Mon May 08 2023 04:57:50 PM EDT from darknetuserPoorman's way of accesing internal web services that are behind a firewall is to have a proxy inside and use ssh forwarding to access said proxy. ssh has enough tools for blocking bruteforcers as it is and should be easy enough to defend. That is my approach for my personal stuff.
2023-05-08 19:33 from Nurb432
In the past i did just this. But, ran into 2 things
1 - i was not using key-pairs and just a login, so it was sort of the
same risk
2 - OpenVPN was transparent to all apps once connected.. and
automatically did key-pairs so i didnt have to f with that myself for
SSH.
The advantage with SSH is that even if you are using password auth, there are so many tools for bruteforce prevention for SSH that you can grab any random one with not much effort.
most of what i saw was IP blocks. ended up with such a large table of blocks, connections started slowing down
i think im safe with vpn, and its transparent. Unless someone comes up with a reason its bad that im not thinking of.
Wed May 10 2023 04:46:38 PM EDT from darknetuser2023-05-08 19:33 from Nurb432
In the past i did just this. But, ran into 2 things
1 - i was not using key-pairs and just a login, so it was sort of the
same risk
2 - OpenVPN was transparent to all apps once connected.. and
automatically did key-pairs so i didnt have to f with that myself for
SSH.
The advantage with SSH is that even if you are using password auth, there are so many tools for bruteforce prevention for SSH that you can grab any random one with not much effort.
Poorman's way of accesing internal web services that are behind a
firewall is to have a proxy inside and use ssh forwarding to access
said proxy. ssh has enough tools for blocking bruteforcers as it is and
should be easy enough to defend. That is my approach for my personal
stuff.
<< raises hand >> Call me a poor man then :)
Actually I have a nice WireGuard mesh between my home network, my hosting network, and my darknet gateway (three different locations). I'd like to have my travel laptop on it too, but WireGuard doesn't play nicely with T-Mobile's NAT464XLAT gateways. So when I'm tethered with my phone (like right now ... hello from the Atlanta airport) I set up a local SOCKS server on SSH and then connect to my home server over a hidden port number:
ssh -D 5060 -p <hidden_port_number> ig@home.server.dom
And the browser is configured to connect to a SOCKS server on localhost:5060 (I recommend a browser extension called "Socks5 Configurator" which makes this easy).
Aaaaaaaand now we're boarding so it's time for me to sign off. From now until the next time, see you in the skies!
If you ever make it near me, yell..
Thu May 11 2023 07:27:57 PM EDT from IGnatius T Foobar(like right now ... hello from the Atlanta airport)
Thought i mentioned it before. Central Indiana
Fri May 12 2023 04:28:25 PM EDT from IGnatius T FoobarI don't know where you are.