Ya, not worth the effort or pain you will receive.
A few bucks to a hosting provider, done. Yes i know this was about zero trust... but in this day and age, 90% trust is good enough i think. Most providers would be destroyed if they got caught doing bad stuff.
Thu Jan 19 2023 06:54:15 PM EST from IGnatius T FoobarRight. It is very much true, you're not going to be able to reliably run email from a residential Internet connection like the lazy dweeb in the article tried to do.
2023-01-19 19:01 from Nurb432
Ya, not worth the effort or pain you will receive.
I think it is worth doing, if only for the learning experience. It also lets you write down in your CV that you have mastered your Postfix/OpenSMTPD/Dovecot kung-fu.
Be sure to buy a bottle of migraine tablets.
:)
Fri Jan 20 2023 06:48:28 AM EST from darknetuser2023-01-19 19:01 from Nurb432
Ya, not worth the effort or pain you will receive.
I think it is worth doing, if only for the learning experience. It also lets you write down in your CV that you have mastered your Postfix/OpenSMTPD/Dovecot kung-fu.
also lets you write down in your CV that you have mastered your
Postfix/OpenSMTPD/Dovecot kung-fu.
Your what now? :)
And i do wish i had 20 or 30k laying around that i didnt care about, to buy a couple of bigger GPUs.. Make things much faster. And could load larger datasets.
This could be network room material too. but security concerns is prompting this :) ( even rants or bottom feeders as these scumbags need beat with a bat )
So this week been getting hammered hard from script kiddies. More than normal. One now is hitting my nextcloud url ( i have Ngnix on the outside ) and flooding it with enough bad logins that the NC server is now blocking my proxy IP ( since it has no way to know where this stuff is really coming from and all it sees is my internal proxy address ). Other ports being hit too as expected, but no effect as they were not open. But due to NC being offline in effect, last night i just shut all port mapping down and threw in the towel.
I'm thinking of just leaving my web services offline except on demand. But i would like to leave my OpenVPN server alive so i can still access my crap from the office or something.
It is on the standard port, but sniffers could find it on an odd port so i figured why bother.
In the bigger picture, how safe is this? You need a file to be able to connect, so its not like you can just randomly send id/passwords. Sure, i still run a DoS risk even with nothing exposed, but what about the basic risk of publishing that way in?
I guess i could add a login on the NGNIX side ( i did that for my AI chat bot when i published it to play with at work ), but it still gives them an active port with a 'real' login to beat on.
And unrelated to the actual question, Interesting thing was that it was coming from various ports on their end but was hitting 80 on my end to hit the NC URL.. is that new or have i never noticed? I have of course seen the random port to port scan, but not in this way where it does not match. ( but i admit i dont keep up on this stuff. )
In the bigger picture, how safe is this? You need a file to be able
to connect, so its not like you can just randomly send
id/passwords. Sure, i still run a DoS risk even with nothing
exposed, but what about the basic risk of publishing that way in?
It should be safe enough. I'd personally blacklist a good chunk of the internet from accessing my VPN ports anyway. If you connect mostly from one or two offices you may actually whitelist those IPs and set everything else default-deny.
Poorman's way of accesing internal web services that are behind a firewall is to have a proxy inside and use ssh forwarding to access said proxy. ssh has enough tools for blocking bruteforcers as it is and should be easy enough to defend. That is my approach for my personal stuff.
Poorman's way of accesing internal web services that are behind a
firewall is to have a proxy inside and use ssh forwarding to access
said proxy. ssh has enough tools for blocking bruteforcers as it is and
should be easy enough to defend. That is my approach for my personal
stuff.
This is how I do stuff, so consider me a poor man. I have ssh tunnels in my configs for accessing all kinds of things.
The office, that would work, but not from my phone.
Mon May 08 2023 04:57:50 PM EDT from darknetuserIf you connect mostly from one or two offices you may actually whitelist those IPs and set everything else default-deny.
In the past i did just this. But, ran into 2 things
1 - i was not using key-pairs and just a login, so it was sort of the same risk
2 - OpenVPN was transparent to all apps once connected.. and automatically did key-pairs so i didnt have to f with that myself for SSH.
Mon May 08 2023 04:57:50 PM EDT from darknetuserPoorman's way of accesing internal web services that are behind a firewall is to have a proxy inside and use ssh forwarding to access said proxy. ssh has enough tools for blocking bruteforcers as it is and should be easy enough to defend. That is my approach for my personal stuff.
2023-05-08 19:33 from Nurb432
In the past i did just this. But, ran into 2 things
1 - i was not using key-pairs and just a login, so it was sort of the
same risk
2 - OpenVPN was transparent to all apps once connected.. and
automatically did key-pairs so i didnt have to f with that myself for
SSH.
The advantage with SSH is that even if you are using password auth, there are so many tools for bruteforce prevention for SSH that you can grab any random one with not much effort.
most of what i saw was IP blocks. ended up with such a large table of blocks, connections started slowing down
i think im safe with vpn, and its transparent. Unless someone comes up with a reason its bad that im not thinking of.
Wed May 10 2023 04:46:38 PM EDT from darknetuser2023-05-08 19:33 from Nurb432
In the past i did just this. But, ran into 2 things
1 - i was not using key-pairs and just a login, so it was sort of the
same risk
2 - OpenVPN was transparent to all apps once connected.. and
automatically did key-pairs so i didnt have to f with that myself for
SSH.
The advantage with SSH is that even if you are using password auth, there are so many tools for bruteforce prevention for SSH that you can grab any random one with not much effort.
Poorman's way of accesing internal web services that are behind a
firewall is to have a proxy inside and use ssh forwarding to access
said proxy. ssh has enough tools for blocking bruteforcers as it is and
should be easy enough to defend. That is my approach for my personal
stuff.
<< raises hand >> Call me a poor man then :)
Actually I have a nice WireGuard mesh between my home network, my hosting network, and my darknet gateway (three different locations). I'd like to have my travel laptop on it too, but WireGuard doesn't play nicely with T-Mobile's NAT464XLAT gateways. So when I'm tethered with my phone (like right now ... hello from the Atlanta airport) I set up a local SOCKS server on SSH and then connect to my home server over a hidden port number:
ssh -D 5060 -p <hidden_port_number> ig@home.server.dom
And the browser is configured to connect to a SOCKS server on localhost:5060 (I recommend a browser extension called "Socks5 Configurator" which makes this easy).
Aaaaaaaand now we're boarding so it's time for me to sign off. From now until the next time, see you in the skies!
If you ever make it near me, yell..
Thu May 11 2023 07:27:57 PM EDT from IGnatius T Foobar(like right now ... hello from the Atlanta airport)
Thought i mentioned it before. Central Indiana
Fri May 12 2023 04:28:25 PM EDT from IGnatius T FoobarI don't know where you are.
So this is a strange one. ( to me anyway )
We have an azure tenant. ( ya i know.. MS.. ick )
Our account people created an AD account for someone not in our forest, to access my stuff. Attached Azure MFA to it ( required by me to get access to my stuff )
They made the UPN the remote domain ( with email attribute email the same even tho we dont host their domain ) and while it would work on-wire, supposedly that is not workable external as MFA it bitched about the account not being part of our tenant. Even tho the account was in our forest.. Change UPN to one of our domains, leave email alone, it worked ( and screws up my system as i assume UPN = Email but i worked around it )
Seems odd to me, its in our forest, who cares what we call it? I would think just being in our forest = being in the tenant
( and of course over night the UPN reverted back to pre-change values and broke again.. )
So this person devises a back door using ssh tunnelling over stunnel (required to diguise the traffic as https because the company's firewall won't allow ssh to make it out of the office). Which of these two configurations do you think is the least suspicious or likely to result in discovery?
1. Configure the office PC to open a stunnel client to a controlled host, then use ssh over that to forward a remote port to localhost.
2. Configure the laptop to open a stunnel client to a controlled host, then use ssh to forward that to the office PC. The laptop is Windows. The laptop is then kept someplace isolated and connected only by sequestered guest wifi when in use. When not in use, it's shut off and put in a shed outside.
My thoughts: 1 is simpler and more direct, but it looks like an https connection that has constant activity and never dies. 2 is more wasteful since all data comes into the home network and then out again through the vpn, but it has the benefit that traffic does go through the vpn not wrapped in stunnel, so it looks the same as if a person were just using the laptop normally, except for the active https connection, but at least that comes and goes with the work hours, so it looks like a human and not like malware.
In our case, they monitor ( and just learned, keep logs for months ) of all traffic. Restrict what you can run. Scan what you can run. Block ports. And you sign papers that if you cheat you get bounced out the door.
Do they pay you for after hours? If not id say f-it and find something else to keep yourself occupied at night. Get a hobby.