• 2 Posts
  • 3 Comments
Joined 1Y ago
cake
Cake day: Jun 08, 2023

help-circle
rss

The person isn’t talking about automating being difficult for a hosted website. They’re talking about a third party system that doesn’t give you an easy way to automate, just a web gui for uploading a cert. For example, our WAP interface or our on-premise ERP don’t offer a way to automate. Sure, we could probably create code to automate it and run the risk it breaks after a vendor update. It’s easier to pay for a 12 month cert and do it manually.


Kids these days with their containers and their pipelines and their devops. Back in my day…

Don’t get me started about the internal devs at work. You’ve already got me triggered.

And, I can just imagine the posts they’re making about how the internal IT slows them down and causes issues with the development cycle.


Old school self hoster: scared of the security challenges of modern hosting
TL;DR: old guy wants logs and more security in docker settings. Doesn’t want to deal with the modern world. I’m on the sh.itjust.works lemmy instance. I don’t know how to reference another community thread so that it works for everyone, so my apologies for pointing at sh.itjust.works, but my thoughts here are inspired by https://sh.itjust.works/post/54990 and my attempts to set up a Lemmy server. I’m old school. I’m in my mid-50’s. I was in academia as a student and then an employee from the mid-80’s through most of the 90’s. I’ve been in IT in the private sector since the late 90’s. That means I was actively using irc and Usenet before http existed. I’ve managed publically facing mail and web servers in my job since the 90’s. I’ve run personal mail and web servers since the early 00’s. I even had a static HTML page that was the number one Google hit for an obscure financial search term for much of the 2000’s. The referer ip’s and search terms could probably have been mined for data. On the work side, I’ve seen multiple email account compromises. (I’d note zero when it was on premise Lotus Notes. All of the compromises were after moving to O365. Those stopped for years once we moved to MFA, but this year we’ve seen two where the bad actors were able to MitM MFA. That said I don’t regret no longer supporting an on-prem Domino server: https://m.youtube.com/watch?v=Bk1dbsBWQ3k ) I’ve also seen a sophisticated vendor typo squatting email, combined with an internal email compromise cost us significant cash. Other than email compromise, I’m not aware of any other intrusions. (There are two kinds of companies: those that know they’ve been hacked and those that don’t). I am friends with some IT people in a company where they were ransomwared. I still believe they have a tighter security stack than we do. I’m paranoid about security because like Farmer’s I’ve seen a thing or two. We keep logs for a year, dumped into a SIEM that is designed to make it unlikely bad actors can get into it even if they take over A/D or VMWare. My home logging is less secure but still extensive. The idea is even if I’m hit, I hope I have the logs to help me understand how and how extensively. I still have public websites at home, but they don’t contain any content that matters. The only traffic they see is attack attempts and indexers that will index them and then shove them down into oblivion. I’m fine with that. I still run a mail server at home. It’s mostly used so all my unique email addresses (sh.itjust.works@foo.com) can get forwarded to my personal O365 instance. If I need to reply using a unique address, I use alpine in an ssh session. Long prolog to explain my experience playing with a Lemmy instance this weekend. I’ve got an xcp-ng instance in the home lab and used it to get a Lemmy docker instance running. It’s not yet exposed to the outside world. I’m new to docker. I’m new to Lemmy. I’m new to Nginx. (See the “old school” in the title.). At work and at home, I deal with Apache. I’ve got custom mod_rewrite rules and mod_security in place to deal with many attacks. I’m comfortable dealing with the tweaks on both for websites that break because of some rules. I’ve tried putting an Apache proxy in front of my xcp-ng Lemmy instance, but it won’t work because Lemmy assumes an initial contact via http/1.1 with an http status code of 101 to push to http/2.0. Apache can proxy either but not both. And Lemmy isn’t happy of the initial connection is http/2.0. I’m also uncomfortable with my lack of knowledge regarding Nginx. I don’t know how to recreate my mod_rewrite rules and I don’t think there’s an equivalent to mod_security. Worse, I don’t see an easy way to retain docker logs. Yes, I can likely use volumes in a docker-compose.yml to retain them, but it’s far from clear what path that would be. I know all of these are solveable concerns with some effort, but I suspect few put in that effort. How do all of you who run containers in a home lab sleep at night knowing all that log data is ephemeral unless you take special effort? How do you sleep knowing the sample configs you are using in containers have little security built in?
fedilink

Yep. I’ve hosted my own mail server since the early oughts. One additional hurdle I’d add to you list is rDNS. If you can’t get that set up, you’ll have a hard time reaching many mail servers. Besides port blocking, that’s one of the many reason it’s a non-starter on consumer ISP.

I actually started on a static ISDN line when rDNS wasn’t an issue for running a mail server. Moved to business class dsl, and Ameritech actually delegated rDNS to me for my /29. When I moved to Comcast business, they wouldn’t delegate the rDNS for the IPv4. They did create rDNS entries for me, and they did delegate the rDNS for the IPv6 block. Though the way they deal with the /56 IPv6 block means only the first /64 is useable for rDNS.

But, everything you list has been things I’ve needed to deal with over the years.


Reddit already looks different for me
It’s not even June 12 for me, yet I suspect many subreddits went dark based on UTC. I moved to Reddit during the Digg migration. Thus, I got the default subscriptions from back in the day. Over the years, I’ve unsubscribed to things I felt were crap, and I’ve added a number of subreddits. Already, many have gone dark. My old.Reddit.com homepage already looks much different than normal, and I know that a few subreddits that do show have announced they’ll go dark. I assume they are US based and timing that locally. I’ve spent more time in the Lemmy fediverse than on Reddit since joining, but I’ve spent time on both. I’ll admit to cynical skepticism of the impact of the darkening. I still don’t think it will make a difference in Reddit policy, but I now believe it will have a larger impact on Reddit traffic than I imagined. I still expect it to have no change in Reddit attitude or really in Reddit users.
fedilink