Language:

en_US

switch to room list switch to menu My folders
Go to page: First ... 17 18 19 20 [21] 22 23
[#] Fri Jan 20 2023 00:01:39 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Ya, not worth the effort or pain you will receive. 

A few bucks to a hosting provider, done.  Yes  i know this was about zero trust... but in this day and age, 90% trust is good enough i think.  Most providers would be destroyed if they got caught doing bad stuff.

Thu Jan 19 2023 06:54:15 PM EST from IGnatius T Foobar
Right. It is very much true, you're not going to be able to reliably run email from a residential Internet connection like the lazy dweeb in the article tried to do. 

 



[#] Fri Jan 20 2023 11:48:28 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2023-01-19 19:01 from Nurb432
Ya, not worth the effort or pain you will receive. 

I think it is worth doing, if only for the learning experience. It also lets you write down in your CV that you have mastered your Postfix/OpenSMTPD/Dovecot kung-fu.

[#] Fri Jan 20 2023 12:12:12 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Be sure to buy a bottle of migraine tablets.

 

:)

Fri Jan 20 2023 06:48:28 AM EST from darknetuser
2023-01-19 19:01 from Nurb432
Ya, not worth the effort or pain you will receive. 

I think it is worth doing, if only for the learning experience. It also lets you write down in your CV that you have mastered your Postfix/OpenSMTPD/Dovecot kung-fu.

 



[#] Mon Jan 23 2023 14:41:49 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

also lets you write down in your CV that you have mastered your
Postfix/OpenSMTPD/Dovecot kung-fu.

Your what now? :)

[#] Fri Mar 17 2023 14:51:25 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

And i do wish i had 20 or 30k laying around that i didnt care about, to buy a couple of bigger GPUs..  Make things much faster.   And could load larger datasets. 



[#] Sat May 06 2023 14:21:26 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

This could be network room material too. but security concerns is prompting this :)   ( even rants or bottom feeders as these scumbags need beat with a bat )

So this week been getting hammered hard from script kiddies. More than normal. One now is hitting my nextcloud url ( i have Ngnix on the outside ) and flooding it with enough bad logins that the NC server is now blocking my proxy IP  ( since it has no way to know where this stuff is really coming from and all it sees is my internal proxy address ). Other ports being hit too as expected, but no effect as they were not open. But due to NC being offline in effect, last night i just shut all port mapping down and threw in the towel.

I'm thinking of just leaving my web services offline except on demand. But i would like to leave my OpenVPN server alive so i can still access my crap from the office or something.  

It is on the standard port, but sniffers could find it on an odd port so i figured why bother.  

In the bigger picture, how safe is this? You need a file to be able to connect, so its not like you can just randomly send id/passwords.   Sure, i still run a DoS risk even with nothing exposed, but what about the basic risk of publishing that way in?

I guess i could add a login on the NGNIX side ( i did that for my AI chat bot when i published it to play with at work ), but it still gives them an active port with a 'real' login to beat on.

 

 

And unrelated to the actual question, Interesting thing was that it was coming from various ports on their end but was hitting 80 on my end to hit the NC URL.. is that new or have i never noticed?  I have of course seen the random port to port scan, but not in this way where it does not match.  ( but i admit i dont keep up on this stuff. )

 



[#] Mon May 08 2023 20:57:50 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

In the bigger picture, how safe is this? You need a file to be able
to connect, so its not like you can just randomly send
id/passwords.   Sure, i still run a DoS risk even with nothing
exposed, but what about the basic risk of publishing that way in?


It should be safe enough. I'd personally blacklist a good chunk of the internet from accessing my VPN ports anyway. If you connect mostly from one or two offices you may actually whitelist those IPs and set everything else default-deny.


Poorman's way of accesing internal web services that are behind a firewall is to have a proxy inside and use ssh forwarding to access said proxy. ssh has enough tools for blocking bruteforcers as it is and should be easy enough to defend. That is my approach for my personal stuff.

[#] Mon May 08 2023 22:45:43 UTC from zelgomer

[Reply] [ReplyQuoted] [Headers] [Print]

Poorman's way of accesing internal web services that are behind a
firewall is to have a proxy inside and use ssh forwarding to access
said proxy. ssh has enough tools for blocking bruteforcers as it is and

should be easy enough to defend. That is my approach for my personal
stuff.


This is how I do stuff, so consider me a poor man. I have ssh tunnels in my configs for accessing all kinds of things.

[#] Mon May 08 2023 23:30:01 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

The office, that would work, but not from my phone.  

Mon May 08 2023 04:57:50 PM EDT from darknetuser
 If you connect mostly from one or two offices you may actually whitelist those IPs and set everything else default-deny.




[#] Mon May 08 2023 23:33:06 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

In the past i did just this.  But, ran into 2 things

1 - i was not using key-pairs and just a login, so it was sort of the same risk

2 - OpenVPN was transparent to all apps once connected..  and automatically did key-pairs so i didnt have to f with that myself for SSH. 

Mon May 08 2023 04:57:50 PM EDT from darknetuser
Poorman's way of accesing internal web services that are behind a firewall is to have a proxy inside and use ssh forwarding to access said proxy. ssh has enough tools for blocking bruteforcers as it is and should be easy enough to defend. That is my approach for my personal stuff.

 



[#] Wed May 10 2023 20:46:38 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2023-05-08 19:33 from Nurb432
In the past i did just this.  But, ran into 2 things

1 - i was not using key-pairs and just a login, so it was sort of the
same risk

2 - OpenVPN was transparent to all apps once connected..  and
automatically did key-pairs so i didnt have to f with that myself for
SSH. 

The advantage with SSH is that even if you are using password auth, there are so many tools for bruteforce prevention for SSH that you can grab any random one with not much effort.

[#] Wed May 10 2023 21:21:20 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

most of what i saw was IP blocks.  ended up with such a large table of blocks, connections started slowing down

 

i think im safe with vpn, and its transparent.  Unless someone comes up with a reason its bad that im not thinking of. 

Wed May 10 2023 04:46:38 PM EDT from darknetuser
2023-05-08 19:33 from Nurb432
In the past i did just this.  But, ran into 2 things

1 - i was not using key-pairs and just a login, so it was sort of the
same risk

2 - OpenVPN was transparent to all apps once connected..  and
automatically did key-pairs so i didnt have to f with that myself for
SSH. 

The advantage with SSH is that even if you are using password auth, there are so many tools for bruteforce prevention for SSH that you can grab any random one with not much effort.

 



[#] Thu May 11 2023 23:27:57 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Poorman's way of accesing internal web services that are behind a
firewall is to have a proxy inside and use ssh forwarding to access
said proxy. ssh has enough tools for blocking bruteforcers as it is and

should be easy enough to defend. That is my approach for my personal
stuff.

<< raises hand >> Call me a poor man then :)

Actually I have a nice WireGuard mesh between my home network, my hosting network, and my darknet gateway (three different locations). I'd like to have my travel laptop on it too, but WireGuard doesn't play nicely with T-Mobile's NAT464XLAT gateways. So when I'm tethered with my phone (like right now ... hello from the Atlanta airport) I set up a local SOCKS server on SSH and then connect to my home server over a hidden port number:

ssh -D 5060 -p <hidden_port_number> ig@home.server.dom

And the browser is configured to connect to a SOCKS server on localhost:5060 (I recommend a browser extension called "Socks5 Configurator" which makes this easy).

Aaaaaaaand now we're boarding so it's time for me to sign off. From now until the next time, see you in the skies!

[#] Thu May 11 2023 23:31:21 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

If you ever make it near me, yell.. 

Thu May 11 2023 07:27:57 PM EDT from IGnatius T Foobar
 (like right now ... hello from the Atlanta airport) 

 



[#] Fri May 12 2023 20:28:25 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

I don't know where you are.

[#] Fri May 12 2023 20:45:50 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Thought i mentioned it before.  Central Indiana 

Fri May 12 2023 04:28:25 PM EDT from IGnatius T Foobar
I don't know where you are.

 



[#] Wed Jul 12 2023 20:36:54 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

So this is a strange one. ( to me anyway )

We have an azure tenant. ( ya i know.. MS.. ick )

Our account people created an AD account for someone not in our forest, to access my stuff.  Attached Azure MFA to it ( required by me to get access to my stuff )

They made the UPN the remote domain ( with email attribute email the same even tho we dont host their domain ) and while it would work on-wire, supposedly that is not workable external as MFA it bitched about the account not being part of our tenant. Even tho the account was in our forest..  Change UPN to one of our domains, leave email alone, it worked ( and screws up my system as i assume UPN = Email but i worked around it )

Seems odd to me, its in our forest, who cares what we call it? I would think just being in our forest = being in the tenant 

 

( and of course over night the UPN reverted back to pre-change values and broke again.. )



[#] Sat Aug 05 2023 03:32:24 UTC from zelgomer

[Reply] [ReplyQuoted] [Headers] [Print]

Let's say, hypothetically, someone was such a workoholic that they wanted to connect to their office PC from their home PC so that they can work late nights and weekends. This person really prefers to use their home PC because it's really good and has a nice big screen and so on. Also it's super inconvenient to use the company laptop because it's slow, the VPN requires frequent reauthentication, and security policies and spyware has gotten so draconian that this person frankly doesn't trust having the device in their home.

So this person devises a back door using ssh tunnelling over stunnel (required to diguise the traffic as https because the company's firewall won't allow ssh to make it out of the office). Which of these two configurations do you think is the least suspicious or likely to result in discovery?

1. Configure the office PC to open a stunnel client to a controlled host, then use ssh over that to forward a remote port to localhost.
2. Configure the laptop to open a stunnel client to a controlled host, then use ssh to forward that to the office PC. The laptop is Windows. The laptop is then kept someplace isolated and connected only by sequestered guest wifi when in use. When not in use, it's shut off and put in a shed outside.

My thoughts: 1 is simpler and more direct, but it looks like an https connection that has constant activity and never dies. 2 is more wasteful since all data comes into the home network and then out again through the vpn, but it has the benefit that traffic does go through the vpn not wrapped in stunnel, so it looks the same as if a person were just using the laptop normally, except for the active https connection, but at least that comes and goes with the work hours, so it looks like a human and not like malware.

[#] Sat Aug 05 2023 12:10:45 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

In our case, they monitor ( and just learned, keep logs for months ) of all traffic. Restrict what you can run. Scan what you can run. Block ports. And you sign papers that if you cheat you get bounced out the door.

Do they pay you for after hours? If not id say f-it and find something else to keep yourself occupied at night. Get a hobby.



[#] Sat Aug 05 2023 13:48:19 UTC from zelgomer

[Reply] [ReplyQuoted] [Headers] [Print]

Do they pay you for after hours? If not id say f-it and find
something else to keep yourself occupied at night. Get a hobby.


Okay, but for the sake of argument only, let's say it was to be used during normal work hours too :)

Go to page: First ... 17 18 19 20 [21] 22 23