Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

markstos

@markstos@lemmy.world

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

I understand that people enter the world of self hosting for various reasons. I am trying to dip my toes in this ocean to try and get away from privacy-offending centralised services such as Google, Cloudflare, AWS, etc....

markstos ,

DDoSing cost the attacker some time and resources so there has to something in it for them.

Random servers on the internet are subject to lots of drive-by vuln scans and brute force login attempts, but not DDoS, which are most costly to execute.

markstos ,

Google: trust us, we can’t see your VPN traffic.
Most users: No.

markstos ,

All the hardware support for the Mac Mini is complete and working.

I’ve had no problems running Asahi Linux on an M1 Mac Mini.

markstos ,

There are plenty of Linux containers available for ARM in part because a lot of developers want to run Linux containers within macOS on Apple Silicon.

That has had the effect improving the experience of running Linux directly on ARM servers.

markstos ,

I host using an M1 Mac Mini using Fedora Asahi Linux. Installed easily, no problems. Fast and quiet!

I ran a Minecraft server for a while. Worked fine.

markstos ,

I didn’t pay a premium, I got a great deal.

The reverse engineering work was already complete, and all the containers I needed for ARM were available.

These have great performance per watt.

markstos ,

I’ve donated to marcan to work on Asahi Linux, which gets upstreamed. That’s direct.

What has better performance per watt than M1 at a better price?

markstos ,

Other efficiency benchmarks place Apple Silicon and AMD chips ahead of Intel chips:

https://www.cpu-monkey.com/en/cpu_benchmark-cpu_performance_per_watt

markstos ,

Considering the database itself is relatively small, PostgreSQL could end up largely caching it in memory, so even hosting the DB on an HDD might not feel much slower.

markstos ,

Are you installing this for someone else?

markstos ,

As someone who has done e-commerce development and supports FLOSS and self-hosting, this is something I would outsource.

It’s complex, and you can’t really handle payments yourself anyway. That requires certification.

And people really don’t like it when their e-commerce is down and may able to quantify lost business due to an outage or bug in dollars or sense. It doesn’t feel great to realize something on your end resulted in hundreds of dollars of lost business.

If the business is very small, places like Shopify have cheap starter tiers.

markstos ,

Exactly what is the auto prompt you see?

markstos ,

It’s the age-old choice between old and stable vs new and shiny.

The meme’s opinion is that old stable is the better choice, although that’s not always true.

markstos ,

As someone who has had a career in hosting: good luck.

Don’t forget backups, logging, monitoring, alerting on top of security updates, hardware failure, power outages, OS updates, app updates, and tech being deprecated and obsolete at a rapid pace.

I’m in favor of a decentralized net with more self-hosting, but that requires more education and skill. You can’t automate away all the unpleasant and technical bits.

markstos ,

Former professional email host here. Email is like 90% spam.

If want to spend your free time battling the ever evolving landscape of spam, enjoy.

Otherwise, work with a pro mail provider you trust.

markstos ,

Lower hood bonnet height. So victims get thrown on the hood with a better chance of survival. With a high hood height, people are more likely to get knocked down and run over.

Hosting a writefreely.org instance (k.fe.derate.me)

Looking through the writefreely.org instances on their website, a lot of the links are dead or closed for registration. The one that is open and working is promoting a paid version. Is hosting a writefreely instance heavy on resources, attracting the wrong people or just not "cool" enough?

markstos ,

Ghost is working on adding ActivityPub to their self-hostable blog software now.

markstos ,

You can get similar security in rootful mode, by making sure within the container the adguard binary is not running as root.

markstos ,

In both cases of rootless and rootful-with-non-root process your process is running as a non-root user with respect to the host.

To break out the container will require two steps. First, adguard itself must be exploited. A second exploit is then required elevate privileges from the adguard user to root.

If your attacker successfully gets that far, then having a rootless container would matter, because in a rootful container, root in the container equals root on the host. In a rootless container, "root" only gives you the abilities of the user running the rootless container.

But as you've found, rootless containers can be a pain.

Making sure your container is running as non-root user in a rootful container is better than giving up.

markstos ,

My dog authenticates access to back yard with a Yubark Key that works over the wireless audio network.

markstos ,

I’ve generated HTML before and then used an HTML to PDF converter as a second step. If you were already familiar with building building webpages, this might be a good option.

markstos ,

Vegans already think about grilling meat in terms of charring animal carcasses.

markstos ,

It’s all true. The bird muscle, the animal flesh, the carcasses and the propensity of humans to cook it so we can tolerate eat it. This is unlike obligate carnivores like our cats which enjoy ripping the flesh off the bone with their teeth and eating the bird muscle right off the fresh carcass.

markstos ,

I mean, had it been rewritten in Rust yet?

What to be aware of before opening port 25 on a postfix Raspberry Pi?

I have a raspberry pi running postfix. I Realised unless I open port 25 I absolutely cannot receive emails (I have 587 open and can send but not receive them). However I heard there are scaries online which someone could potentially send emails from your server without consent. I believe as well my ISP doesn't block port 25. Is...

markstos ,

Agreed. I used to host email professionally and would not recommend managing your own mail server. It will constantly be under attack by spammers and if the inbox email address is exposed at all, soon 90% of incoming mail will be spam and you’ll need antispam software to filter it.

markstos ,

Agreed. Tailscale is very easy to setup.

Recommendations please: Self-hosted web site analytics

Hello y'all! I have my personal (static) website / blog running on netlify out on the public internet. Netlify, in case you're not familiar, is not a traditional web host, so I can't add databases or anything else like that on the server itself. Right now, that site has zero analytics / visitor tracking and I've decided I want...

markstos ,

I also host Matomo. It was easy to install and has been easy to maintain.

markstos ,

The same week they’re laying off 14,000 employees?

markstos ,

Another good place to ask Podman questions is the Podman discussion forum: https://github.com/containers/podman/discussions

markstos ,

How are you certain all your porn is legal?

markstos ,

In addition to "encryption at rest", also consider that your devices might be exploited over the internet, so attackers may be able to access the decrypted state that way. To guard against that, you may wish to encrypt certain documents with an additional password, even if they are sitting on an encrypted file system.

Recall that within a month, the widely SSH was exploited and a backdoor added to every machine. I had upgraded to that SSH version. I didn't run an SSH server on that box, but it goes to show that even those who take precautions can end up exploited!

markstos ,

It’s defense in depth. If I encrypt a rarely used file, capturing my keystrokes will eventually work, but it might be weeks or months before I return to decrypt that file. In the meantime, I might have realized I was hacked and restore the system.

Network loss after 24hrs on Docker LXC

Fine folks of c/selfhosted, I've got a Docker LXC (Debian) running in Proxmox that loses its local network connection 24 hours after boot. It's remedied with a LXC restart. I am still able to access the console through Proxmox when this happens, but all running services (docker ps still says they're running) are inaccessible on...

markstos ,

It's convenient when it works, but with three different containerization technologies, it's harder to debug when Proxmox+LXC+Docker fails. Even running Docker in parallel to LXC rather than nested would be simpler.

markstos ,

LXC/LXD can be highly available (HA), stable, work and provide kernel isolation as well (real VMs): https://ubuntu.com/blog/lxd-virtual-machines-an-overview

markstos OP ,

I’m not trying to send mail directly from the host, only forward it to a host that’s prepared to send. I’m using Mailgun for that.

markstos OP ,

I have an SMTP server. I need a sendmail binary that does one thing well: send the message to the SMTP server.

markstos OP ,

Tried that. Yes, it has the feature I need. But it has a rather complex feature set and documentation when I just need to to send my mail to an SMTP server. I ran into problems configuring it for this in the past which were difficult to diagnose due to the volume of config options and docs. That’s what led me to explore tools that had only the features I needed and no more, like msmtp or nullmailer.

markstos OP ,

Sendmail is a binary provided by a mail system and no mail system is installed by default on Fedora.

I’m looking for a solution that’s as simple as possible: provide a sendmail binary to pass the message to a third-party SMTP server.

I’ll connect to Mailgun via TLS— no port 25 involved.

markstos OP ,

Sendmail is a full-blown MTA released 41 years ago that is notoriously difficult to manage. There are reasons that it's market share has declined from 80% to about 3%. I'm also not looking for a MUA, like mutt. I'm looking for a simple MTA that that only relays outbound mail, like msmtp, ssmtp or nullmailer.

markstos OP ,

I found a nice Ansible role for nullmailer, but found that it is not packaged for Fedora, but msmtp and ssmtp are. I think I may try ssmtp next. Despite its unmaintained status, somewhow it's packaged and nullmailer isn't.

markstos OP ,

Thanks. Turns out it's not in Fedora.

markstos OP ,

I need a sendmail binary that sends outgoing mail to an SMTP server with as few other features as possible.

markstos OP ,

Thanks. This is just for forwarding from mail and the like, so occasional loss of mail due to lack of spooling could be tolerated.

markstos OP ,

The one problem with msmtp is that it doesn't rewrite headers, like "From: root / To: root". These are not required for SMTP, but they are required by some mail providers who will reject email that doesn't have an "@" sign in these headers. The author or msmtp has said he does not plan to add this feature.

I worked around the issue with my own sendmail wrapper that rewrites local addresses in From and To headers before passing the message to msmtp. Someone else posted such a script in this bug report:

https://github.com/marlam/msmtp/issues/98

markstos OP ,

In the issue I linked, the msmtp author makes a distinction with changing the envelope recipient, which msmtp can do, with rewriting the email headers like “To”, which msmtp does not do.

markstos ,

This. Tailscale is a VPN solution for this that's free for personal use.

Giving up on selfhosted email / Any sane email setups?

So I've been running self-hosted email using Mailu for a couple of months (after migrating out of Google Workspace). Today it turned that although my server seems to be capable of sending and receiving emails, it also seems to be used by spammers. I've stumbled upon this accidentally by looking through logs. This seems to have...

markstos ,

I hosted email professionally for over a decade... and I can't recommend getting back into the business. At that time we were using Qmail, although I also have experience managing Exim and Postfix. About 90% of incoming email remains spam.

For outgoing email for things like server cron mail, a stub service like msmtpdcan be used to receive local mail and forward it to to a local service.

To receive and host email, Fastmail is good.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • incremental_games
  • meta
  • All magazines
    •