Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

towerful

@towerful@programming.dev

This profile is from a federated server and may be incomplete. Browse more on the original instance.

towerful ,

It's not a workaround.
In the old days, if you had 2 services that were hard coded to use the same network port, you would need virtualization or a different server and make sure the networking for those is correct.

Network ports allow multiple services to use the same network adapter as a port is like a "sub" address.
Docker being able to remap host network ports to containers ports is a huge feature.
If a container doesn't need to be accessed outside of the docker network, you don't need to expose the port.

The only way to have multiple services on the same port is to use either a load balancer (for multiple instances of the same service) or an application-aware reverse proxy (like nginx, haproxy, caddy etc for web things, I'm sure there are other application-aware reverse proxies).

towerful ,

Surely you want to enable 802.1q? Like, that is vlan aware switching and routing. Or is that on the nas?

Edit:
Some troubleshooting:

Connect a laptop into the same subnet as your Nas (so same vlan and IP range/subnet) and connect to the nas. This either eliminates the NAS or the router from the equation

towerful ,

If they are on the same subnet, why are they going via the router? Surely the NIC/OS will know it's a local address within its subnet, and will send it directly; as opposed to not knowing where to send the packet, so letting the router deal with it.

I'm assuming you are using a standard 24 bit subnet mask, because you haven't provided anything that indicates otherwise and the issue you present would be indicative of a local link being used - this possible

towerful ,

That whole "shortest path" has caught me out before (tho in a different way)!
And firewall logs of "state violation" aren't always helpful when that's pretty much the default log message

towerful ,

I'm sure this is a meme, but the trust is proving the OS is not tampered with.
Like, if malware was able to inject a malicious windows update URL into the OS, and inject a malicious certificate that gets the OS to trust the malicious updates by the malicious URL.
The signature of the OS would then differ from what the TPM/CPU recorded during OS boot and what the TPM/CPU has hashed during running. This would indicate that the OS has been tampered with.
So the trust in TPM is that the TPM and CPU are working together correctly (which is certified during manufacturing), so that the TPM can then attest that the OS (or software or whatever) hasn't been tampered with.

So yeh, it's MS (or whatever software company) trusting that the software it is interacting with is running as it is intended

towerful ,

If you want to power your house independently from the grid, your house has to be independent from the grid.
Anything where you sell your excess power back to the grid is in tight cooperation with the grid operators.

Standard house wiring is not set up to accommodate back feeding the grid nor independently powering.
So you will need a changeover switch professionally fitted if you want an independent power source, or your solar panel installers will fit the appropriate equipment to back-feed the grid.
Anything else will likely involve deaths, fires, broken equipment, criminal prosecution, insurance invalidation and all that nasty stuff.

towerful ,

Well, if the Tories get back in then deporting people to Rwanda and expansion of oil drilling in the north sea will be guaranteed.
Voting for lab, there is a chance that these will be cancelled.

Tories have had decades in charge, and shit is fucked.
Labour are more progressive - not enough for my taste, but better than constant austerity

towerful ,

Yup. Such is a 2-party system.
Vote for the less-evil

towerful ,

People hate having their favorite brand associated with vile or unethical things.

True. But not ads, which this quote is taking about. People hate ads. It's the ads people hate, not the context of the ads.
If your favourite brand hired some neo-nazi as their new spokesperson, that's a bit different than some garbage ad sitting beside some garbage AI content.
The only reason "ads beside garbage content" is ever leveraged (ie a news story) is as a way to either hurt the garbage content or hurt the company the ad is for.

Like with shitty twitter content, consumers can pressure twitter to deal with the content by alerting companies that they are being seen next to shitty content. Companies then leverage the fact that they are paying twitter to get their ads away from that content. If enough companies do this, twitter might change their content policy to prevent this kind of shitty content.
Like with YouTube, it has loads of demonitizing policies to ensure companies who advertise there don't get negative press due to association with the content, which means YouTube should have a majority of quality content.

But, no. (The majority of) People don't hate their brand advertising next to particular content. People just hate ads.

towerful ,

Bitwarden, DNS and email are the 3 services I pay for.
Passwords can't be inaccessible, free DNS services never have an LE API, and email is extremely difficult to self host. The uptime and security I expect for these things means I'm happy paying someone else to take care of it.

Bitwarden seem to be a great company and doing everything right (even though they are being annoyingly slow with passkeys on android, my only fault with their service).
Their subscription is extremely reasonable, so even if I figured I could self host it, I'd rather pay bitwarden

towerful ,

Between the for-profit businesses of Google and bitwarden, I'm going to trust bitwarden more.

towerful ,

The certs are still valid.
They are just not implicitly trusted

towerful , (edited )

LE certs can always be "side loaded" by acme.sh or LEbot or whatever, and the reverse proxy restarted to use the new certs. So, the whole "pro subscription to use specific certs" shouldn't be a factor, except a little more work/config (so, money Vs time).

Now for my opinion...

For base security, all it's doing is looking at whatever you tell it to look at in an http request and forward/drop/block as such.
HAProxy is well battle-tested. Nginx is well battle-tested. Traefik and caddy are comparably newer contenders, but considering their adoption they are probably well battle-tested.
Which means, an established reverse proxy is only going to be as secure as the software it's forwarding traffic to.

If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible...
But at least an attacker only gets access to the reverse proxy server. Which is why it's worth having that in a locked down isolated VM, ideally built in a way that is extremely easy to rebuild (declarative configs like docker-compose and some scripts, or even something like nixos for an immutable OS).

As for add-ons... Most WAFs only look for things like XSS injection or SQL injection or exploitative HTTP request formats. Very very basic attack vectors that any decent HTTP stack and reasonably built software shouldn't have to even worry.
Any DDOS protection is more likely to blast your network connectivity, which (for self hosting) a WAF isn't going to be able to do anything about.
I'm not sure how good they actually are against a DOS attack that is caused by bugs/inefficiencies in the application. Maybe they monitor for long/increasing response times, and block further requests to them? Might cause a lot of false-positives for your users.

So, the only real benefit - that I see - are zero-day exploit protections.... and that only matters if they are built around near-realtime updates like crowdsec is. I don't know how it compares to cloudflares WAF, tho.
Any zero-day protection that isn't being managed and updated in near-realtime is about as effective as you monitoring news of your installed services/programmes and updating them regularly. Because you are likely to update your WAF and apps when you hear about those, or regular scheduled updates will deal with them before you even learn about them.

I guess there is security in layers, and if layers of security is more important than CPU consumption/response time/requests per second (ie have an abundance of processing, servicing few users, etc) then it might be a no-brainer.

The only other time I can see a generic WAF being useful is if you have rolled your own framework and HTTP stack, and are running your own software. Because, you won't get that right... So might as well have the extra protection of a WAF.

Or, I guess, with really old unsupported software.
But surely there is a newer take or fork of it?

There is also the "am I worth it" factor.
Like, what is your actual threat model?
Defend against the usual script-based attacks (IE low hanging fruit), only expose/forward ports that are actually required, use some sensible security that isolates more vulnerable systems (IE a proxy) from more sensitive (ie a database or storage), and update regularly on stable/lts branches.

Edit:
I just googled bunkerweb.
First we had firewalls. Then we got web application firewalls. Along came next generation firewalls. Now we have Next Generation Web Application Firewalls with paid features like "Pay per protected services" and "Best effort support included"

Maybe I'm just salty

towerful , (edited )

That got a bit long.
Reading more into bunkerweb.

Things like the "limit" feature are going to doink people on cgnat or large corporate networks. I've had security stuff tripped by a company using my software, and it's a PITA cause all the requests from legit users come from only a few IP addresses.

Antibot isn't going to be helpful for things like JS requests, because cookies aren't included by default with fetch requests - so the application needs to be specifically built for this (at which point, do it at an application level so it can scale easier?).
And captcha. For whatever that is worth these days.

Reverse Scan is going to slow down every request (as it scans the remote client for suspicious open ports, so a 500ms delay as default).

Country is just geo-ip.

Bad Behaviour is just rate limiting (although with a 24h ban). Sucks if a few corporate/cgnat users all hit a 404 and suddenly that entire company/ISP's IP is blocked for a day.

This seems like something to use when running a TOR server or something, where security is more important than user experience. Like, every feature seems to punish legit users

towerful ,

So, is public accessibility actually required?
Does it need to be exposed to the public internet?

Why not use wireguard (or another VPN)? Even easier is tailscale.
If you are hand selecting users (IE, doesn't actually need to be publicly accessible), then VPN is the most secure and just run a reverse proxy for ease & certs.
Or set up client certificate authentication, so only users that install a certificate issued by you can connect to the service (dunno how that works for 3rd party apps to immich)

Like I asked, what is your actual threat model?
What are your requirements?
Is public accessibility actually required?

towerful ,

Apparently Amelia Tyler - the Narrator for BG3 - checked in on some random twitch stream, and they had an AI voice trained from her narration controlled by twitch chat - which was saying some fucking horrendous stuff.

Scary as fuck.

Remember to talk to everyone you know about voice scams. Scammers absolutely are leveraging this tech, and piling it on top of the usual "I've flushed my phone down the toilet, I'm texting from a mates phone and I need money to buy a new one for my job interview tomorrow" kinda scams.
Agree on a password or something, so that if "you" ever call (edit: or text) and put them under pressure then they ask for the password. Scammers will instantly divert or bail.

towerful ,

Those "once in a lifetime" or "once in a decade" weather events seem to be quite common these days

Do companies store facial and voice recognition data from the thousands of hours of zoom/teams calls that their employees use?

I heard a person call into a show the other day, voice only, and talk about some poor working conditions at a factory. Made me think about how it would probably be so easy for nefarious bosses to be able to identify that person through voice recognition SW with all of the data that comes from us looking directly into cameras and...

towerful ,

Companies would only do it in response to an incident.
Same as any IT related thing. IT will block bad websites, maybe have some alerts for common stuff, but will only sift through logs when something goes wrong so they can assess the extent, impact and fixes for things.

The exceptions are probably like Amazon where they have the processing power and dev-time to do things like this to their own employees, which might also turn into a marketable product for other companies.
Military contractors might as well (Boeing...)

towerful ,

Training will never stop, tho.
New models will keep coming out, datasets and parameters are going to change.

towerful ,

I tried to wash my brain, but I couldn't find enough clean water

towerful ,

Ventoy is an OS.
It's a live Linux that boots from the USB stick you format/image with the ventoy tool. The rest of the space on the USB stick is configured to be essentially a standard USB drive.
The live Linux's sole purpose is to boot another image stored on the USB stick.

So, once you have "ventoy"d a usb stick, you can plonk gparted live iso, Ubuntu, Debian, Eos, W10, W11... whatever isos you want. When you boot from that USB stick, you get the ventoy menu screen and select the iso you want it to continue to boot.

Basically, a bootloader on a usb stick

towerful ,

Oh yeh, saved my skin a few times.
And you can use it like a normal USB stick once your OS is up, so you can have some installers on there to speed things up

towerful ,

Unimogs are exciting

towerful ,

I feel like Talos Linux is NixOS applied to a very specific purpose: kubernetes.
I've recently been playing with kubernetes, and talos linux feels like cheating.

I think NixOS could has a huge market unexplored of server side deployments. Install NixOS, connect to the fresh install via a CLI tool, apply the patches (flakes?), and have an easy way to reset to base NixOS when you make a mistake so you can try a different set of patches.
All from the cli, all with idempotent config files.

Google Cloud accidentally deletes UniSuper’s online account due to ‘unprecedented misconfiguration’ (www.theguardian.com)

More than half a million UniSuper fund members went a week with no access to their superannuation accounts after a “one-of-a-kind” Google Cloud “misconfiguration” led to the financial services provider’s private cloud account being deleted, Google and UniSuper have revealed.

towerful ,

Actually, it highlights the importance of a proper distributed backup strategy and disaster recovery plan.
The same can probably happen on AWS, Azure, any data center really

Apple crushes creativity and its reputation in new iPad ad (www.theregister.com)

The ad itself depicted a mechanical crusher destroying artifacts of human creativity. A trumpet, guitar, sculpture, piano, drawing board, paints, a metronome, several analog cameras, a turntable, and hi-fi equipment were among the much-loved items yielding to the machine's unstoppable force.

towerful ,

I got a pixel 8.
I'm really enjoying it.
But the camera doubles the thickness of the phone where it is.
And the case I have for it just gave up, and made the whole phone+case that thickness.
I'd have liked the actual phone to be that big, have a bit more battery - maybe even replaceable battery, a 3.5mm jack at stuff like that.
At some point, things get too thin to hold and use comfortably. I think the Nintendo switch highlights this, whereas the steam deck is much more comfortable to hold.

towerful ,

It's a quadlock case, so it kinda makes sense for it to be thicker. But previous phones/quadlock combos haven't been as thick

Does anyone know of a FOSS Firewall for Windows

I currently use TinyWall Firewall, it works very well, it's small/portable, no complaints I even donated to the Dev but I would really prefer open source, also it needs to be user friendly like TinyWall so my non-tech family members can/will use it like they do with TinyWall.

towerful ,

Do people really run zenarmour, snort or suricate on their desktop?
Feels like a network firewall thing to do DPI for the whole house, instead of a per-machine thing.

After announcing increased prices, Spotify to Pay Songwriters About $150 Million Less Next Year (www.billboard.com)

When Bloomberg reported that Spotify would be upping the cost of its premium subscription from $9.99 to $10.99, and including 15 hours of audiobooks per month in the U.S., the change sounded like a win for songwriters and publishers. Higher subscription prices typically equate to a bump in U.S. mechanical royalties — but not...

towerful ,

I'm enjoying Tidal

towerful ,

I'm enjoying Tidal

towerful ,

Unfortunately, I've only found a wrapped up web client thing. Using the web page is probably similar.

The wrapped up web client works better than the native client on windows, tho. Not sure on sound quality, I haven't had an issue tho

towerful ,

Yeh, it's pretty amazing.
Only thing I miss from Spotify are the user generated playlists, where I can search for something like "liquid drum and bass" and get a bunch of playlists

towerful ,

Yeh, the electron wrapped Tidal HiFi for Linux. I just checked the GitHub, and it says it supports High and Max settings thanks to Widevine.
I swapped from Spotify to Tidal on windows and was blown away. Shortly after I started daily-driving Linux. I haven't done an A/B between the Linux electron version and the windows desktop version, but it hasn't annoyed me like Spotify did.

towerful ,

Yeh, that's where I'm at with it.
I've seen comments that chromium does 48khz, and the high quality is 44.1khz, so there's is sample rate conversion happening yada yada yada.
I'm not going to let perfection stand in the way of good.

Hopefully Tidal releases a native Linux client. That would be ideal.
Either way, it's better than Spotify. I'm not bombarded by podcasts, I'm not funding podcasts I wouldn't touch with a 10ft pole, and Tidal pays artists more than both Apple and Spotify.
It ticks enough boxes for me, and I'm super happy with Tidal

towerful ,

yay firefox

Oh wait, that's what came preinstalled with my distro. No need to run anything.

towerful ,

The old * uncooked weight

towerful ,

Ye, it's just a fancy /dev/null as a service

towerful ,

Classic ticket.
"It's broken, it doesn't work",
"what happened?",
"I ran it like the instructions said, and it didn't do anything",
"was there an error message?",
"I don't know. Something popped up, but it was in the way so I closed it",
"Do it again, don't close the error message, and tell me what it says"

Why is replacement for home device controls so complicated?

I recently learned about Home Assistant here on Lemmy. It looks like a replacement for Google Home, etc. However, it requires an entire hardware installation. Proprietary products just use a simple app to manage and control devices, so can someone explain why a pretty robust dedicated device is necessary as a replacement? The...

towerful ,

Gateway is a more specific name for a server.
Like web host is a more specific name for a server.

A server isn't anything fancy, it just serves a service.
If that is just a relay between your phone and local devices, that's what it's serving

towerful ,

Having multiple machines can protect against hardware failures.
If hardware fails, you have dono machines.
It's good learning, both for provisioning and for the physical (cleaning, customising, wiring, networking with multiple nics), and for multi-node clusters.

Virt is convenient, but doesn't teach you everything

towerful ,

Changing ports does nothing except reduced log chatter.
Security through obscurity is not security

towerful ,

But scriptkiddies and automated scans are not a security threat. If they were a legitimate threat to your server, you have bigger problems.
All it does is reduce log chatter.

Anyone actually wanting in would port scan, then try and connect to each port, and quickly identify an SSH port

towerful ,

Just have 2 ipv4 assigned to your server. Have 1 for all your services, and run ssh on the other allowing root login with the password "admin".
A random ipv6 in the same subnet as your server is just obscurity.

The XZ exploit would be functionally similar to allowing root login using the password "admin".
Would doing that on a different port be secure? No? Then a different port is not security, it's obscurity.

Obscurity is just going to trip you up at some point and reduce log chatter.

And yes, running LTSB/stable is a sensible choice for servers.

towerful ,

It defends against the lowest level of automation. And if that is a legit threat in your model, you are going to have a bad time.
It's just going to trip you up at some point

towerful ,

Yes, because a password is security

towerful ,

I mean, even desktop excel isn't great for that. Doubley so if you have to use dates/times and timezones

towerful ,

Not if they keep taking it away from you.
Then you are left with 0 vehicles while they fix it

towerful ,

But then it would just be a footrest

  • All
  • Subscribed
  • Moderated
  • Favorites
  • incremental_games
  • meta
  • All magazines
    •