someacnt

joined 4 months ago
sorted by: new top controversial old
Ansible iptables best practices? in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 1 points 2 hours ago

Thanks a lot! I will go with the blockinfile, sounds promising.

Ansible iptables best practices? in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 1 points 12 hours ago* (last edited 12 hours ago) (3 children)

How do I keep some of the existing firewall rules (which is dependent on host) in the remote file, and change the other parts?

Ansible iptables best practices? in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 1 points 1 day ago (5 children)

Thank you! Templating rules.v4 is a pretty attractive option. Though my VPS has some portions of the file which should be unmodified, so I would have to avoid this method.

Ansible iptables best practices? in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 1 points 1 day ago

Thanks, but I looked up and learned to prefer the idempotence to be handled by ansible. Ansible support iptables by default, while nftables need a plugin, so iptables it is for me.

Why do people insist on not answering ALL the questions in an email or text message? in c/nostupidquestions@lemmy.world
[–] someacnt@sh.itjust.works 1 points 1 day ago

Sorry, I prefer input |> then |> doThis |> lastly

Why do people insist on not answering ALL the questions in an email or text message? in c/nostupidquestions@lemmy.world
[–] someacnt@sh.itjust.works 3 points 1 day ago* (last edited 1 day ago) (2 children)

Sounds almost like lastly (doThis (then (first input)))

Why do people insist on not answering ALL the questions in an email or text message? in c/nostupidquestions@lemmy.world
[–] someacnt@sh.itjust.works 1 points 1 day ago* (last edited 1 day ago) (1 children)

Not OP, but I experience difficulty articulating what I mean while staying formal. How to improve?

25
Ansible iptables best practices? (sh.itjust.works)
submitted 1 day ago* (last edited 1 day ago) by someacnt@sh.itjust.works to c/selfhosted@lemmy.world
17 comments fedilink
 

I am currently looking into ansibles to store my configurations and deploy services more easily.

I have couple of iptable rules in /etc/iptables/rules.v4, which I can easily restore. Meanwhile, ansible has iptable role for configurations - hence, I am confused on what approach to take.

How do I persist this rules, especially across reboots? Should I rerun ansible every time on each reboot? I am at loss on how to best manage iptables, as other services can interact with it. How do you folks handle this? Thanks in advance!

How do I host Jellyfin in the most secure manner possible? in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 8 points 2 days ago (2 children)

Being concerned about security while using free VPN sounds like an oxymoron.

TIL - Caddy in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 4 points 2 days ago (2 children)

Wait. I got the format warning in caddy, so does this mean it could contain substantial error? I gotta check

How and where should I keep backups of system configurations? in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 1 points 3 days ago (1 children)

Thanks! I gotta get my hands on Ansible, was reluctant as I've heard it can be complicated. Should see myself!

How and where should I keep backups of system configurations? in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 2 points 4 days ago

Codeberg sounds like a good way! I was concerned about server config being stored on self-hosted forgejo (which is configured by the very server config), turns out that need not be the case.

54
How and where should I keep backups of system configurations? (sh.itjust.works)
 

Sorry for adding to the massive pile of backup-related question, but I could not figure out how to manage backups from existing answers..

I want to backup my VPS setup (think container-defining files, its volumes, and etc configs), but am unsure where to put it. Does keeping these in the VPS itself make sense? If so, how do I create and manage the backup?

Also, I would need a remote copy - what is the good location for this? I wish I could copy to my laptop, but obviously I cannot do that automatically. Should I pay money for a backup? I want to avoid paying lots of money just for backups. Thanks in advance!

How to harden against SSH brute-forcing? in c/selfhosted@lemmy.world
[–] someacnt@sh.itjust.works 2 points 5 days ago

Fortunately my VPS (oracle) has set SSH authentication to be default. Disallowing root login sounds good, gotta try that as well.

139
How to harden against SSH brute-forcing? (sh.itjust.works)
 

Recently, I discovered that SSH of my VPS server is constantly battered as follows.

Apr 06 11:15:14 abastro-personal-arm sshd[102702]: Unable to negotiate with 218.92.0.201 port 53768: no matching key exchange method found. Their offer: diffie>
Apr 06 11:30:29 abastro-personal-arm sshd[102786]: Unable to negotiate with 218.92.0.207 port 18464: no matching key exchange method found. Their offer: diffie>
Apr 06 11:45:36 abastro-personal-arm sshd[102881]: Unable to negotiate with 218.92.0.209 port 59634: no matching key exchange method found. Their offer: diffie>
Apr 06 12:01:02 abastro-personal-arm sshd[103019]: Unable to negotiate with 218.92.0.203 port 16976: no matching key exchange method found. Their offer: diffie>
Apr 06 12:05:49 abastro-personal-arm sshd[103066]: Unable to negotiate with 218.92.0.212 port 49130: no matching key exchange method found. Their offer: diffie>
Apr 06 12:07:09 abastro-personal-arm sshd[103077]: Connection closed by 162.142.125.122 port 56110 [preauth]
Apr 06 12:12:18 abastro-personal-arm sshd[103154]: Connection closed by 45.79.181.223 port 22064 [preauth]
Apr 06 12:12:19 abastro-personal-arm sshd[103156]: Connection closed by 45.79.181.223 port 22078 [preauth]
Apr 06 12:12:20 abastro-personal-arm sshd[103158]: Connection closed by 45.79.181.223 port 22112 [preauth]
Apr 06 12:21:26 abastro-personal-arm sshd[103253]: Connection closed by 118.25.174.89 port 36334 [preauth]
Apr 06 12:23:39 abastro-personal-arm sshd[103282]: Unable to negotiate with 218.92.0.252 port 59622: no matching key exchange method found. Their offer: diffie>
Apr 06 12:26:38 abastro-personal-arm sshd[103312]: Connection closed by 92.118.39.73 port 44400
Apr 06 12:32:22 abastro-personal-arm sshd[103373]: Unable to negotiate with 218.92.0.203 port 57092: no matching key exchange method found. Their offer: diffie>
Apr 06 12:49:48 abastro-personal-arm sshd[103556]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53675 ssh2 [preauth]
Apr 06 12:49:48 abastro-personal-arm sshd[103556]: Disconnecting authenticating user root 98.22.89.155 port 53675: Too many authentication failures [preauth]
Apr 06 12:49:51 abastro-personal-arm sshd[103558]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53775 ssh2 [preauth]
Apr 06 12:49:51 abastro-personal-arm sshd[103558]: Disconnecting authenticating user root 98.22.89.155 port 53775: Too many authentication failures [preauth]
Apr 06 12:49:53 abastro-personal-arm sshd[103561]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53829 ssh2 [preauth]
Apr 06 12:49:53 abastro-personal-arm sshd[103561]: Disconnecting authenticating user root 98.22.89.155 port 53829: Too many authentication failures [preauth]
Apr 06 12:49:54 abastro-personal-arm sshd[103563]: Connection closed by 98.22.89.155 port 53862 [preauth]
Apr 06 12:50:41 abastro-personal-arm sshd[103576]: Invalid user  from 75.12.134.50 port 36312
Apr 06 12:54:26 abastro-personal-arm sshd[103621]: Connection closed by 165.140.237.71 port 54236
Apr 06 13:01:26 abastro-personal-arm sshd[103702]: Connection closed by 193.32.162.132 port 33380
Apr 06 13:03:40 abastro-personal-arm sshd[103724]: Unable to negotiate with 218.92.0.204 port 60446: no matching key exchange method found. Their offer: diffie>
Apr 06 13:11:49 abastro-personal-arm sshd[103815]: Received disconnect from 165.140.237.71 port 50952:11:  [preauth]
Apr 06 13:11:49 abastro-personal-arm sshd[103815]: Disconnected from authenticating user root 165.140.237.71 port 50952 [preauth]
Apr 06 13:19:08 abastro-personal-arm sshd[103897]: Unable to negotiate with 218.92.0.208 port 59274: no matching key exchange method found. Their offer: diffie>
Apr 06 13:33:36 abastro-personal-arm sshd[104066]: Received disconnect from 165.140.237.71 port 50738:11:  [preauth]
Apr 06 13:33:36 abastro-personal-arm sshd[104066]: Disconnected from authenticating user ubuntu 165.140.237.71 port 50738 [preauth]
Apr 06 13:34:50 abastro-personal-arm sshd[104079]: Unable to negotiate with 218.92.0.204 port 44816: no matching key exchange method found. Their offer: diffie>
Apr 06 13:50:32 abastro-personal-arm sshd[104249]: Unable to negotiate with 218.92.0.206 port 27286: no matching key exchange method found. Their offer: diffie>
Apr 06 13:51:58 abastro-personal-arm sshd[104261]: Received disconnect from 165.140.237.71 port 50528:11:  [preauth]
Apr 06 13:51:58 abastro-personal-arm sshd[104261]: Disconnected from authenticating user root 165.140.237.71 port 50528 [preauth]
Apr 06 14:01:25 abastro-personal-arm sshd[104351]: Invalid user  from 65.49.1.29 port 18519
Apr 06 14:01:28 abastro-personal-arm sshd[104351]: Connection closed by invalid user  65.49.1.29 port 18519 [preauth]

As you can see, it is happening quite frequently, and I am worried one might break in at some point. Since SSH access guards users with root-access, it can be quite serious once penetrated. How do I harden against these kind of attacks? Because this is VPS, disabling SSH is a no-go (SSH is my only entry of access). Are there ways to stop some of these attackers?

As always, thanks in advance!

24
How to configure UFW rules for podman (sh.itjust.works)
submitted 2 weeks ago* (last edited 2 weeks ago) by someacnt@sh.itjust.works to c/selfhosted@lemmy.world
6 comments fedilink
 

Note: I am using VPS for services, since I do not want to expose my home network to internet. I am using podman, . But firewall (using UFW frontend) seems to block all the routing and inter-container traffic, so I want to Currently I have UFW rules set as blanket open for all podman networks, like this:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
222/tcp                    ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
Anywhere on podman1        ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
8080/tcp                   ALLOW       Anywhere                  
Anywhere on podman0        ALLOW       Anywhere                  
Anywhere on podman2        ALLOW       Anywhere                  
Anywhere on podman3        ALLOW       Anywhere                  
Anywhere on podman4        ALLOW       Anywhere                  
Anywhere on podman5        ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
222/tcp (v6)               ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
Anywhere (v6) on podman1   ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
8080/tcp (v6)              ALLOW       Anywhere (v6)             
Anywhere (v6) on podman0   ALLOW       Anywhere (v6)             
Anywhere (v6) on podman2   ALLOW       Anywhere (v6)             
Anywhere (v6) on podman3   ALLOW       Anywhere (v6)             
Anywhere (v6) on podman4   ALLOW       Anywhere (v6)             
Anywhere (v6) on podman5   ALLOW       Anywhere (v6)             

Anywhere on podman1        ALLOW FWD   Anywhere on ens3          
Anywhere on podman0        ALLOW FWD   Anywhere on ens3          
Anywhere on podman2        ALLOW FWD   Anywhere on ens3          
Anywhere on podman3        ALLOW FWD   Anywhere on ens3          
Anywhere on podman4        ALLOW FWD   Anywhere on ens3          
Anywhere on podman5        ALLOW FWD   Anywhere on ens3          
Anywhere (v6) on podman1   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman0   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman2   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman3   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman4   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman5   ALLOW FWD   Anywhere (v6) on ens3

This neither seems secure, nor extensible when I add another network. Is there some 'best practices' for firewall setup with podman networks? How do you gurus set up your firewall for containers? Thanks in advance!

EDIT: Sorry for missing an important detail, I am running rootful podman with (userns=auto).

7
Backup solutions for iPad Goodnotes? (sh.itjust.works)
submitted 2 weeks ago* (last edited 2 weeks ago) by someacnt@sh.itjust.works to c/selfhosted@lemmy.world
6 comments fedilink
 

My uni lab has ~~subsidized~~ provided* an iPad for study, so I am using it primarily for handwritten note-taking.

After a while, I figured I cannot easily transcript all of it into notes on laptop. Especially, the hand-drawn diagrams take way too much effort to translate into TeX diagrams. Since these notes are quite important to me, I want a proper backup solution.

I am using Goodnotes for note-taking. How would I go with backups of the Goodnotes files? Of course I could use iCloud, but I want to avoid it for privacy reasons. Preferably, I want self-hosted backup options. What are the good backup solutions in this case?

Thanks in advance!

EDIT: Why so many downvotes? Is it bad to get an iPad? Basically my uni lab (forcefully) bought me an iPad, should I have rejected it?

10
[Solved] Nextcloud AIO inside container - domain verification fails (sh.itjust.works)
submitted 3 weeks ago* (last edited 3 weeks ago) by someacnt@sh.itjust.works to c/selfhosted@lemmy.world
3 comments fedilink
 

I am setting up nextcloud AIO in a podman container on my VPS. After some struggle, I got to the installation page, but domain checking is simply not working out.

After looking up, I decided to check the port from host machine. Strangely, curl localhost:11000 hangs indefinitely. nextcloud-aio-domaincheck container is running, and it mapped port as 0.0.0.0:11000->11000/tcp. The domaincheck server should be reachable, and I don't think firewall would be preventing localhost access.. The single line log from domaincheck container is:

2025-03-20 13:47:43: (../src/server.c.1939) server started (lighttpd/1.4.76)

I am utterly lost here. Does anyone know what would be possible reasons, and how to troubleshoot the issue? Any pointers would be greatly appreciated. Thank you in advance!

EDIT: Just ran sudo podman exec nextcloud-aio-mastercontainer curl nextcloud-aio-domaincheck:11000, it seems to work in the internal network. At a loss how this does not get exposedd to the host..

EDIT2: Solved it, podman is misbehaving when the port is set to 0.0.0.0. Darn it, podman is such a pain..

16
[Solved] How do I debug network issues, regarding caddy in podman? (sh.itjust.works)
submitted 3 weeks ago* (last edited 3 weeks ago) by someacnt@sh.itjust.works to c/selfhosted@lemmy.world
16 comments fedilink
 

Disclaimer: I am running personal website on cloud, since it feels iffy to expose local IP to internet. Sorry for posting this on selfhosting, I don't know anywhere else to ask.

I am planning to multiplex forgejo, nextcloud and other services on port 80 using caddy. This is not working, and I am having issues diagnosing which side is preventing access. One thing I know: it's not DNS, since dig <my domain> works well. I would like some pointers for what to do in this circumstances. Thanks in advance!

What I have looked into:

  • curling localhost from the server works well, caddy returns a simple result.
  • curl <my domain> times out, currently trying to inspect packets - it seems like server receives TCP without HTTP.
  • curl <my domain>:3000 displays forgejo page, as forgejo exposes at 3000 in its container, which podman routes to host 3000.

EDIT: my Caddyfile is as follows.

:80 {
    respond "Hello World!"
}

http://<my domain> {
    respond "This should respond"
}

http://<my domain 2> {
    reverse_proxy localhost:3000
}

EDIT2: I just tested with netcat webserver, it responds fine. This narrows it down to caddy itself!

EDIT3: (Partially) solved, it was firewall routing issue. I should have checked ufw logs. Turns out, podman needs to be allowed to route stuffs. Now to figure out how to reverse-proxy properly.

EDIT4: Solved, created my own internal network between containers, besides the usual one connecting to the internet. Set up reverse-proxy to correctly connect to the container. My only concern left is if I made firewall way permissive in the process. Current settings:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
3000/tcp                   ALLOW       Anywhere                  
222/tcp                    ALLOW       Anywhere                  
8080/tcp                   ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
8443/tcp                   ALLOW       Anywhere                  
Anywhere on podman1        ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
3000/tcp (v6)              ALLOW       Anywhere (v6)             
222/tcp (v6)               ALLOW       Anywhere (v6)             
8080/tcp (v6)              ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
8443/tcp (v6)              ALLOW       Anywhere (v6)             
Anywhere (v6) on podman1   ALLOW       Anywhere (v6)             

Anywhere on podman1        ALLOW FWD   Anywhere on ens3          
Anywhere on podman0        ALLOW FWD   Anywhere on ens3          
Anywhere (v6) on podman1   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman0   ALLOW FWD   Anywhere (v6) on ens3

podman0 is the default podman network, and podman1 is the internal network.

52
Advantages of rootless podman? (sh.itjust.works)
submitted 4 weeks ago* (last edited 4 weeks ago) by someacnt@sh.itjust.works to c/selfhosted@lemmy.world
27 comments fedilink
 

From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?

Thank you!

11
Which case is Pi-hole for? (sh.itjust.works)
 

Recently saw a post regarding pi-hole, and I am considering to try it out. I am wondering if it would fit my usecase, so I want to ask about specifically what it solves.

I heard pi-hole blocks ads at DNS resolution level, so it does not block e.g. youtube ads. For me and my family who mostly watch youtube with handful of blog surfing, what value would it bring? Most blogs do not seem to contain much ads, so I am not sure ad-blocking helps much there.

Given the praise pi-hole is getting, I guess there are more to it than limited blocking of ads. I would love to learn more about this topic, as I am blind on the networking stuff. Thanks in advance!

2
Should I ditch Samsung Galaxy S8? (sh.itjust.works)
submitted 1 month ago* (last edited 1 month ago) by someacnt@sh.itjust.works to c/degoogle@lemmy.ml
4 comments fedilink
 

Hello, I am considering de-googling my mobile experience. It seems like Samsung has bad security on their phones, which is why GrapheneOS is not available on Samsung phones, I guess. Ironically, google pixel phone is supposed to be the best fit for GrapheneOS.

So anyway, should I switch ? Ideally, I want to keep my phone. But my phone is quite old at this point, so I can consider buying a new phone. If I buy one, which one should I get?

Also, I heard call and mobile data does not work well on GrapheneOS and the like. How bad is it?

view more: next ›