atzanteol

atzanteol , 8 days ago to Selfhosted in Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

No point talking to you then.

atzanteol , 8 days ago to Selfhosted in Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

... You're joking right?

atzanteol , 8 days ago to Selfhosted in Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

I'm positive that F5's marketing department knows more than me about security and has not ulterior motive in making you think you're more secure.

Snark aside, they may do some sort of WAF in addition to being a proxy. Just "adding a proxy" does very little.

atzanteol , 8 days ago to Selfhosted in Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

They may offer some sort of WAF (web application firewall) that inspects traffic for potentially malicious intent. Things like SQL injection. That's more than just a proxy though.

Otherwise, they really don't.

atzanteol , 8 days ago to Selfhosted in Server for a boat

HDDs don't do well when rotated

The original iPod had an HDD in it. You can rotate HDDs. Sharp impacts may be risky though, especially for a non-laptop drive.

atzanteol , 9 days ago to Selfhosted in Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

Put your reverse proxy in a DMZ, so that only it is directly facing the intergoogles

So what? I can still access your application through the rproxy. You're not protecting the application by doing that.

Install a single wildcard cert and easily cover any subdomains you set up

This is a way to do it but not a necessary way to do it. The rproxy has not improved security here. It's just convenient to have a single SSL endpoint.

There’s even nginx configuration files out there that will block URL’s based on regex pattern matches for suspicious strings. All of this (probably a lot more I’m missing) adds some level of layered security.

If you do that, sure. But that's not the advice given in this forum is it? It's "install an rproxy!" as though that alone has done anything useful.

For the most part people in this form seem to think that "direct access to my server" is unsafe but if you simply put a second hop in the chain that now you can sleep easily at night. And bonus points if that rproxy is a VPS or in a separate subnet!

The web browser doesn't care if the application is behind one, two or three rproxies. If I can still get to your application and guess your password or exploit a known vulnerability in your application then it's game over.

atzanteol , 9 days ago to Selfhosted in Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

My reverse proxy setup allows me to map hostnames to those services and expose only 80/443 to the web,

The mapping is helpful but not a security benefit. The latter can be done with a firewall.

Paraphrasing - there is a bunch of stuff you can also do with a reverse proxy

Yes. But that's no longer just a reverse proxy. The reverse proxy isn't itself a security tool.

I see a lot of vacuous security advice in this forum. "Install a firewall", "install a reverse proxy", etc. This is mostly useless advice. Yes, do those things but they do not add any protection to the service you are exposing.

A firewall only protects you from exposing services you didn't want to expose (e.g. NFS or some other service running on the same system), and the rproxy just allows for host based routing. In both cases your service is still exposed to the internet. Directly or indirectly makes no significant difference.

What we should be advising people to do is "use a valid ssl certificate, ensure you don't use any application default passwords, use very good passwords where you do use them, and keep your services and servers up-to-date".

A firewall allowing port 443 in and an rproxy happily forwarding traffic to a vulnerable server is of no help.

atzanteol , 9 days ago to Selfhosted in Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

Reverse proxies don't add security.

atzanteol , 11 days ago to Selfhosted in Looking for a music server

I like Subsonic. The interface is a bit dated but it supports multiple users and has excellent android apps.

atzanteol , 19 days ago to Selfhosted in Suggest me a secure chat platform for my family

IP was invented in the '70s. Sometimes older protocols that work are just fine.

atzanteol , 19 days ago to Selfhosted in How do I do a bare-metal install (Debian) without a monitor+keyboard?

I picked up a second hand monitor from a goodwill shop for like $7USD. It would be worth having a display of some sort for troubleshooting.

atzanteol , 20 days ago to Selfhosted in Nextcloud or Syncthing - which one do you suggest?

Thanks! Updated.

atzanteol , 20 days ago (edited 20 days ago) to Selfhosted in Nextcloud or Syncthing - which one do you suggest?

Quick pros/cons from what I've read (correct me if I'm wrong - I've not used syncthing myself):

syncthing

Pros:

• Easy to setup and use.
• No infrastructure to maintain
• Will sync directories between computers

Cons:

• Uses third party resources to sync by default (can setup direct sync if needed/wanted however)
• Only does directory synchronization

Nextcloud

Pros:

• Can synchronize directories
• Entire synchronization pipeline is under your control
• Offers a lot more functionality if you want it (WebDAV, Calendars, public shares with "anyone with URL can view" permission, etc.)

Cons:

• You need to setup/maintain your Nextcloud server
• Can be fiddly to setup for some (wasn't for me - but lots of people do complain about it).

atzanteol , 20 days ago to Selfhosted in Nextcloud or Syncthing - which one do you suggest?

Do you think webdav somehow dumps you database? No it’s just a protocol to save your files on your webserver. It’s just a middelman.

Umn. It allows the application to do its own synchronization and diff resolution. It's why they recommend it.

Directory synchronization is a "best effort" to copy files back and forth without considering the application's needs. Copying database files while they're being written can be problematic for example.

Both Nextcloud and syncthing will synchronize a folder. And it will probably work if you aren't making lots of changes on both systems. But there is increased risk.

Yeah it’s my recommendation from my personal experience. Is that wrong?

Yes - absolutely. "I've been lucky so far" and recommending against what the product you're using says you should do is TERRIBLE advice.

The point is, syncthing is rock solid, never had any issue being it with my zotero database or syncing files between my devices. If you’re a Nextcloud advocate or are against my personal opinion so be it :).

Why are you getting defensive towards syncthing? It seems fine. It's the wrong tool for what you're using it for.

atzanteol , 20 days ago to Selfhosted in Nextcloud or Syncthing - which one do you suggest?

What does this mean?

it's not just a copy. It syncs the folder.

It's remarkable to me that you recommended to somebody an option that is the exact opposite of what you know to be true.