You are still talking about someone that is not able to create the config themself, but that someone should be able to test everything?
- 0 Posts
- 23 Comments
Joined 3 years ago
Cake day: June 9th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
But still, how would verify if the config is good or not? For example if it exposes root?
4·24 days agoBut how would you know before watching?
“Based on the upvotes and comments” Oh then others doing the work to watch it and rate it on lemmy for you.
Imo, when a link to a video or forum or whatever is posted, then at least a summery or a discussion should be included.
And for containers auto updates once every day.
Got apticron set up on my servers or similar solutions to get notified when updates are available. Then usually, from time of notification +1 or 2 days.
End-to-end encryption means the service provider can’t see your data even if they wanted to
Not necessarily. All it means is that intermediaries can’t see the data in transit. You need to trust that the data is handled properly at either end, and most service providers also make the apps that you run at either end.
This is incorrect. End-to-End is defined as from “User to User” and not “User to Service provider”. That would be just transport encryption.
I switched to adguard, yes. But you can just give pi-hole a dnsmasq config file. The underlying dns server Pi-Hole uses does support those.
Just mount the file via a docker volume. I will have to look up the exact paths. Config would look like
address=/domain.tld/192.168.0.1
Based on you screenshot from the NPM Dashboard there seems to be something wrong. In the setup window you show that you forward the traffic with http and port 80, in the dashboard screenshot you forward the traffic with https and port 80.
Just skip http and self signed certificates all together. Modern Browsers make it a pain to use non https sites. A simple domain setup with dns acme challenge is a little bit of a hassle but worth the hour(s) of invested time. Especially with npm were it is a set and forget option.
Does pihole support wildcard dns entries yet? To my knowledge the gui only supports single entries so that you have to enter every subdomain manually in pihole that you want to have forwarded. Workaround would be to use a dnsmasq config file or use something else like addguard.
It usually is the directory where you execute the docker compose command.
Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.
While some use cases can be replaced with traditional wireguard, others not.
Really surprised about this. I am using syncthing now for many years on various devices and never encountered issues with it. And also, file sync is not a backup solution.
Still the same but afaik they now somewhat support running zfs
Do you want to prevent brute forcing or do you want to prevent the attack getting in?
If you want to prevent brute forcing then software like fail2ban helps a little, but this is only a IP based block, so with IPv6 this is not really helpfull against a real attack, since rotating IP addresses is trivial. But still can slow down the attacker. Also limiting the amount of sessions and auth tries does significantly slow down the attacker.
If you just want to not worry about it set strong passwords, and when it is a multi user system where other ppl might access it, configure Public Key Auth so you can be sure the other users have strong passwords (or keys in this case) to authenticate.
With strong passwords or keys it is basically impossible to brute force your way in with ssh.
You do not even need a port based firewall when the server is open on the internet.
When you configure the software to not have unnecessary open ports over the internet connected interface then a port based firewall is providing zero additional security.
A port based firewall has the benefit that you can lock everything down to the few ports you actually need, and do not have to worry about misconfigured software.
For example, something like docker circumvents ufw anyway. And i know ppl that had open ports even tho they had ufw running.
At the same time crowdsec heavily benefits of the big free userbase since they ‘crowdsource’ their thread detection.
Just a simple hole renders them useless. The only method to reconstruct them from there would be any kind of SEM or AFM which would still take weeks to months to years depending on the size/density of the drives.
Even just opening them up and smacking the disks would be sufficient
Next time just encrypt them.
Just because there is no update does not mean there are security vulnerabilities to worry about, or do you have a specific one that is not fixed?
The attack vector seems very narrow to me. It checks the container registry downloads the containers and runs some docker commands.
It has no interface, so in order to attack it you either have to compromise the container registry (but then it would be easier to compromise the containers you download) the secure connection used to download the containers (https is quite stable) or something on the server side.
Also the project does not really look that abundant to me.
EDIT: So i have not checked this, but watchtower is probably using docker for most steps anyway? So basically the only thing that could be attacked is via the notifications watchtower is sending?
Years out of date
What problems does it have? Never ran into an issue for my usecase.
Automatic updates. Works like a dream. Depending on what you are running it can obviously cause issues, either server side breaking or server,client communication issues
There is no guarantee either, but on a public forum at least a couple of eyes look at it too. Not saying that this makes it trust worthy. But a LLM usually words it output very direct and saying “this is the absolut truth” which can lead to a much higher trust relation then a stranger on a forum that writes “maybe try this”.
I generelly would not recommend using the llm for potential security related questions (or important or professionally questions) were your own knowledge is not big enough to quickly vet the output.