Post AV544HBQrtXwulSq4e by c0debabe@hackers.town
(DIR) More posts by c0debabe@hackers.town
(DIR) Post #AV0yM22KXtvYnDRzHM by tek@freeradical.zone
2023-04-25T15:34:07Z
0 likes, 2 repeats
Yesterday I stood up a new firewall in front of my home network. This one has much better logging than the old one, and I've been tailing the block reports.Real talk, friends: DO. NOT. expose a machine to the open internet unless you're 100% confident it's bulletproof."I run SSH on a custom port!" Doesn't matter."I use IPv6!" Doesn't matter."I'm just a nobody!" Doesn't matter.Practice safer networking, every time, all the time.
(DIR) Post #AV0yfPlCZ8QvsAgHSa by yuki2501@hackers.town
2023-04-25T15:37:37Z
0 likes, 0 repeats
@tek Meaning, the machine requires authentication for all open ports, or otherwise those ports were actually intended to be accessed from the internet (as in, a public HTTP server)?
(DIR) Post #AV0z4aGKekG9gTFAZ6 by tek@freeradical.zone
2023-04-25T15:42:08Z
0 likes, 0 repeats
@yuki2501 Both:1. Default deny. Unless you specifically want a port to be open, don't. If you can only open it to specific IPs instead of the whole world, do that.2. Don't rely on obscurity, ever. "Why would someone even try to access my Redis?" Because they will, that's why. đ
(DIR) Post #AV0zYISlOmghARE6fw by Jetengineweasel@hackers.town
2023-04-25T15:47:26Z
0 likes, 1 repeats
@tek @yuki2501 and for the love of fuck: turn on automatic updates
(DIR) Post #AV0zeeePok7FifhyXQ by tek@freeradical.zone
2023-04-25T15:48:40Z
0 likes, 0 repeats
@Jetengineweasel @yuki2501 YES.
(DIR) Post #AV10zoflqqnypxzrU0 by tek@freeradical.zone
2023-04-25T16:03:37Z
0 likes, 0 repeats
@Jetengineweasel @yuki2501 Automatic updates are like seatbelts. You hear the occasional story of one that caused harm, mainly because itâs news when that happens. For every one of those, you donât hear the hundreds of thousands of cases where they did their job.
(DIR) Post #AV11QOQ9YzWdElMewK by yuki2501@hackers.town
2023-04-25T16:08:32Z
0 likes, 0 repeats
@tek @Jetengineweasel My main issue with automatic updates is Microsoft, because they added copy protection / DRM features disguising them as security updates and ended up ruining it for everyone. More than once.I absolutely do NOT trust that they won't do another shitty thing again.
(DIR) Post #AV12SgFKMNHF3SxISe by tek@freeradical.zone
2023-04-25T16:20:06Z
0 likes, 0 repeats
@yuki2501 @Jetengineweasel Ugh, that's valid. I've deliberately avoided that work.
(DIR) Post #AV12iFOZxT40PbhoMC by r343l@freeradical.zone
2023-04-25T16:22:52Z
0 likes, 0 repeats
@tek Keeping thinking we should expose something from home network and then not bothering because I'm like "nah don't really want to deal with that do I".
(DIR) Post #AV13A4ilEtAjPjPmnw by tek@freeradical.zone
2023-04-25T16:27:58Z
0 likes, 0 repeats
@r343l I do it anyway because I'm a glutton for punishment, but I've got the open ports locked down to access from specific IPs. And certain services are probably alright, like Nginx is solid.
(DIR) Post #AV146K60EYM9tV3prc by r343l@freeradical.zone
2023-04-25T16:38:31Z
0 likes, 0 repeats
@tek Yeah the particular service I was thinking of exposing would not be IP lockable (since the goal was access from household mobile phones) but I was pondering per device keys or certificates or something so any other request is rejected. Not sure that's really sufficient though. Sigh.
(DIR) Post #AV1OJVCWFqlbBSfdZI by brolf@chaos.social
2023-04-25T17:31:34Z
0 likes, 0 repeats
@r343l @tek sounds kinda valid to me. Using client certificates is a great way to lock out unwanted visitors. I really don't know why they are so rarely used in the wild.
(DIR) Post #AV1OJZkLM2CRHWWhqS by r343l@freeradical.zone
2023-04-25T17:42:36Z
0 likes, 0 repeats
@brolf @tek Probably the pain of managing client certs but my client pool is like two total so not that big a deal. But more the worry is even if I use that to very strongly authenticate there's still a port open to (probably) an https service which is probably fine but I get all paranoid thinking about it.
(DIR) Post #AV1OJcFc2kOt35AhrU by brolf@chaos.social
2023-04-25T19:52:44Z
0 likes, 0 repeats
@r343l @tek well, an open port with strong authentification upfront is not a problem as long as nobody can bypass it. I'd argue that such designs are fine for all relevant thread models because the probably vulnerable application never sees anonymous traffic. (It's like ssh with certs only)Having the webapp doing the auth on the other hand is way scarier in my oppinion.
(DIR) Post #AV1OJhR8lJan8HbU1Y by tek@freeradical.zone
2023-04-25T20:24:43Z
0 likes, 0 repeats
@brolf @r343l For web stuff, it's probably fine. Again, Nginx, Caddy, etc. are pretty extensively tested.I wouldn't expose Sendmail to the Internet, with or without auth.
(DIR) Post #AV1UwNRXdAzK8tcKf2 by r343l@freeradical.zone
2023-04-25T21:38:58Z
0 likes, 0 repeats
@tek @brolf good old nginx. I should maybe trust it and worry a little less.
(DIR) Post #AV53uUc25J9hfUF0lM by thegibson@hackers.town
2023-04-27T14:55:03Z
0 likes, 0 repeats
@tek For real...
(DIR) Post #AV542271vmQxarKrPk by gedvondur@hulvr.com
2023-04-27T14:56:33Z
0 likes, 0 repeats
@tek If I may ask, what was the firewall?
(DIR) Post #AV544HBQrtXwulSq4e by c0debabe@hackers.town
2023-04-27T14:56:42Z
0 likes, 0 repeats
@tek they're out there
(DIR) Post #AV54dnSEsRNd8YGLz6 by tek@freeradical.zone
2023-04-27T15:03:24Z
0 likes, 0 repeats
@TheGibson I was at a doctor check-up, and during the mental health check part of it she asked if I felt like anyone was out to get me. I took a deep breath and started laughing. âHow do I answer this correctly without sounding paranoid?â đ
(DIR) Post #AV54fgr6NnmtFXnMTw by deutrino@mstdn.io
2023-04-27T15:03:34Z
0 likes, 0 repeats
@tek this increases my nagging feeling that I'm not upping my game on basic hardening fast enough.
(DIR) Post #AV54pgTSehGoxlVEi8 by tek@freeradical.zone
2023-04-27T15:05:34Z
0 likes, 0 repeats
@gedvondur The new one is a Firewalla Gold Plus.
(DIR) Post #AV54qx3eU0Z8gb2Ewy by tek@freeradical.zone
2023-04-27T15:05:43Z
0 likes, 0 repeats
@c0debabe Boy howdy.
(DIR) Post #AV54yea540vlhIsNDk by gedvondur@hulvr.com
2023-04-27T15:07:05Z
0 likes, 0 repeats
@tek Ah! That's one I've been looking at. I have a long-in-the-tooth Ubiquiti mesh rig, but I want to break out the firewall portion going forward.Been watching the Firewalla forum for quite a while. The Gold seems to be the right choice.
(DIR) Post #AV55UvfF5H1DwlgFZg by prozacchiwawa@functional.cafe
2023-04-27T15:13:00Z
0 likes, 1 repeats
@tek it's good to recommend as well only allowing public key ssh auth (disable password login) on the internet at large.anything that looks like an ssh server constantly gets random user/password login attempts.
(DIR) Post #AV55YgAocW7n3sEjzs by tek@freeradical.zone
2023-04-27T15:13:41Z
0 likes, 0 repeats
@gedvondur It was spendier than I wanted, but those bondable 2.5Gb Ethernet ports clenched the deal. Some people gave me solid recommendations for DIY hardware, but it came down to that I wanted a complete solution where everythingâs integrated, tested together, has a pretty interface, and someone else maintains it for a living.So far Iâm very happy with it.
(DIR) Post #AV55kKJHjXtojDkhRA by thegibson@hackers.town
2023-04-27T15:10:28Z
0 likes, 0 repeats
@tek Correct.unsurprisingly, I have encountered this same dilemma.
(DIR) Post #AV55kKpXnbhgLGqSie by tek@freeradical.zone
2023-04-27T15:15:46Z
0 likes, 0 repeats
@TheGibson Well, of course you have. I already said we did.
(DIR) Post #AV55q75BpEw5RSv0oC by e_er1n@hackers.town
2023-04-27T15:13:26Z
0 likes, 0 repeats
@thegibson @tek it's not paranoia if they're actually out to get you
(DIR) Post #AV55q7oD7qwrh5yxyy by tek@freeradical.zone
2023-04-27T15:16:45Z
0 likes, 0 repeats
@e_er1n @TheGibson And itâs not âtheyâ if you have IPs, logs, and their employersâ names.
(DIR) Post #AV55qfepHFdyfpqx4i by gedvondur@hulvr.com
2023-04-27T15:16:12Z
0 likes, 0 repeats
@tek Good to know! Thank you very much.My needs closely parallel yours - I don't want to spend excessive time maintaining the hardware or software, I want an appliance with the aforementioned pretty interface. To me, the price is worth it. Same reason I buy Synology NAS, rather than just building one. I want to do things, not maintain things.
(DIR) Post #AV55uK0FjJ4IfjcFqi by gedvondur@hulvr.com
2023-04-27T15:17:32Z
0 likes, 0 repeats
@tek Do you run a pihole? Im interested if the ad blocking in firewalla is adequate.
(DIR) Post #AV569pDxvs2xqYQH8y by _L1vY_@mstdn.social
2023-04-27T15:20:20Z
0 likes, 0 repeats
@tek Yikes âš
(DIR) Post #AV56Nk5Hq6srxY01vk by tek@freeradical.zone
2023-04-27T15:22:56Z
0 likes, 0 repeats
@prozacchiwawa Yes! Before I launch a server, I always, *always*, turn off password auth (and also root logins). Never, ever, ever, use SSH password auth. Pubkey is way more convenient, too!
(DIR) Post #AV56WM5QQqHw8cAgHg by ScaredyCat@toot.net-pbx.com
2023-04-27T15:15:44.456655Z
0 likes, 0 repeats
@tek@freeradical.zon My preference is Mikrotik. One false move and you're blocked. bad_people address list ftw! đ I just looked, 120k entries on the list.
(DIR) Post #AV56WN7aaHc5LcBvIO by tek@freeradical.zone
2023-04-27T15:23:57Z
0 likes, 0 repeats
@ScaredyCat I love some good reactive armor!
(DIR) Post #AV56cIB9sBX7kxgSJM by tek@freeradical.zone
2023-04-27T15:25:31Z
0 likes, 0 repeats
@gedvondur This instanceâs database is on a Synology! Same thing. I wrangle computers all day long. I donât need to scratch that itch at home.I *can*. I donât *want* to.
(DIR) Post #AV56wLPfYgi3Zv2608 by kkarhan@mstdn.social
2023-04-27T15:29:06Z
0 likes, 0 repeats
@tek Personally, I'm tempred to look for a way to automate reports of unauthorized access attempts and automatically file them to the ISP and if they don't react, block the allocated IP space...Also use #Fail2Ban-like approach and soft-ban anyone trying to brute-force your network or even scan it.
(DIR) Post #AV577L2BJ79baZHy4m by dalias@hachyderm.io
2023-04-27T15:31:07Z
1 likes, 0 repeats
@tek When was the last OpenSSH pre-auth RCE..? đ¤ (assuming no shit like PAM enabled, etc.)
(DIR) Post #AV57820DYI8IqvhVU8 by kkarhan@mstdn.social
2023-04-27T15:30:50Z
0 likes, 0 repeats
@tek @prozacchiwawa Also it's trivial to version #Pubkeys... If necessary just setup some custom URL/forwarder like keys.domain.example/ssh to wget that stuff post-install...
(DIR) Post #AV57AeSrWRIsigLfcm by tek@freeradical.zone
2023-04-27T15:31:45Z
0 likes, 0 repeats
@gedvondur I suspect (but donât know) that the Firewallaâs ad blocker is pihole.I used to have a separate pihole server, but eero has a longstanding bug where it serves the wrong DNS IPs to DHCP clients, and I got tired of manually configuring all the hosts to set custom DNS. That was another motivator to switch to a freestanding firewall.
(DIR) Post #AV57JkiHeul4hptwxs by tek@freeradical.zone
2023-04-27T15:33:23Z
0 likes, 0 repeats
@_L1vY_ We all *know* that the Internet is a grimy place, but itâs useful to look around sometimes and remind ourselves of it.
(DIR) Post #AV57wsSYn9fS1bCeGm by gedvondur@hulvr.com
2023-04-27T15:39:46Z
0 likes, 0 repeats
@tek EXACTLY!
(DIR) Post #AV5815IJ0zXwzNPe1Q by eckes@zusammenkunft.net
2023-04-27T15:41:05Z
0 likes, 0 repeats
@tek well, ingress is blocked anyway. But what about egress?
(DIR) Post #AV582ujVFjRcoS0SbQ by tek@freeradical.zone
2023-04-27T15:41:00Z
0 likes, 0 repeats
@kkarhan From experience, be prepared to block a lot of ISPs. Most of them. Nearly all of them.Near as I can tell reports are universally filed to /dev/null.
(DIR) Post #AV58730iQ1K7dy1oyO by tek@freeradical.zone
2023-04-27T15:42:18Z
0 likes, 0 repeats
@dalias Iâm too lazy to look right now, but itâs been quite a while.Oops: February. https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
(DIR) Post #AV58KF9sZ4h95Gbgp6 by tek@freeradical.zone
2023-04-27T15:44:37Z
0 likes, 0 repeats
@eckes Also important! On Mac, I tell everyone to install Little Snitch. (Thereâs a free alternative now, but I havenât used it.) I like that the Firewalla gives unusual traffic alerts.
(DIR) Post #AV58e3A0skSTfI78WO by tek@freeradical.zone
2023-04-27T15:48:15Z
0 likes, 0 repeats
@deutrino ânetstat -naâ is your friend. See what ports are listening to public addresses.- If you donât use those services, turn them off.- If you use them, but only for local purposes, edit their configs so that they only listen on localhost.The only things that should be public facing are services you explicitly want everyone to have access to, like a webserver.
(DIR) Post #AV5BsvMMT2Hhg3fqoi by deutrino@mstdn.io
2023-04-27T16:24:29Z
0 likes, 0 repeats
@tek all my stuff has a basic firewall up with minimum open ports, but the increasing persistence of automated attacks ... I feel like it's only a matter of time on some level (also I still use php for things)
(DIR) Post #AV5D84CTypMDOUpzxw by loke@functional.cafe
2023-04-27T16:38:15Z
0 likes, 0 repeats
@tek I've logged every single deny on my firewall for years. On both IPv4 and IPv6. I wasn't too do something with this data, but I'm not sure what. Surely there is some interesting statistics I can get from it.
(DIR) Post #AV5EELL1H8MQEmO5Sa by tek@freeradical.zone
2023-04-27T16:50:54Z
0 likes, 0 repeats
@loke I've thought about doing something like that but never got around to it. I think the geo information would be fun! Does China have a different attack than Russia? Where do you see the most traffic from? Per capita?
(DIR) Post #AV5EIGtTjzJLc1NXPM by tek@freeradical.zone
2023-04-27T16:51:35Z
0 likes, 0 repeats
@deutrino Awareness is the big thing: remembering at all times you're working on stuff that it really is a wild and dangerous place, and to be cautious.
(DIR) Post #AV5EbjHcPjClA7wqTA by deutrino@mstdn.io
2023-04-27T16:55:02Z
0 likes, 0 repeats
@tek my next big task is building out infra for awareness ... basic monitoring, and once I get that together, progressive refinement on it so that I can spot unusual patterns at a glance and/or get automated alerts.
(DIR) Post #AV5Kb3DNQH56Pl1X72 by tek@freeradical.zone
2023-04-27T18:02:10Z
0 likes, 0 repeats
@deutrino Nice!
(DIR) Post #AV5P5nzSTcChzSQxOq by dalias@hachyderm.io
2023-04-27T18:52:33Z
0 likes, 0 repeats
@tek AIUI that was overhyped and it's at best unprivileged code execution in an extremely locked down privsep sandbox process.
(DIR) Post #AV5Urt0pbhkREkp2JM by tek@freeradical.zone
2023-04-27T19:57:15Z
0 likes, 0 repeats
@dalias Good. I didn't have time to read that too closely; just made sure my stuff was up-to-date.
(DIR) Post #AV5X1SWN9iP3scGefI by JamesTDG@mastodon.world
2023-04-27T20:21:25Z
0 likes, 0 repeats
@tek wow. Really makes me wonder how bad my dad's security settings are...
(DIR) Post #AV5a8DD6mL4KHgAWLw by nu@mastodon.nzoss.nz
2023-04-27T20:56:01Z
0 likes, 0 repeats
@tekI sleep very well at night after turning off my public facing ports and switched to using Tailscale. Its a zero trust VPN based on Wireguard. Its super easy to setup. Software free as in air, service free as in beer (freemin, but very generous capabilities).https://tailscale.com/
(DIR) Post #AV5dLlvBKrY7Z5wPiK by acyberexpert@freeradical.zone
2023-04-27T21:32:10Z
0 likes, 0 repeats
@tek I had a service on a high port that went untouched for years and then one day I accidentally forgot to close port 80/tcp after a Letâs Encrypt certificate renewal. Shodan visited port 80/tcp, followed the redirect to the high port, and then I started to get a huge number of attacks on the high port. Time To First Attack is crazy low for well known ports (80, 22, 25). Remember how Windows XP could be exploited before the installer had completed, if connected to the Internet.
(DIR) Post #AV5i3s1kOXRj3oINFI by tek@freeradical.zone
2023-04-27T22:25:06Z
0 likes, 0 repeats
@JamesTDG That's always a good thing to check on.
(DIR) Post #AV5iCqbn2SdtGbR0cK by tek@freeradical.zone
2023-04-27T22:26:17Z
0 likes, 0 repeats
@nu If you don't *need* public access, VPNs are the way to go. I mean, you still have to expose the VPN software to the public, but they're usually pretty well tested.
(DIR) Post #AV5iLiHxLDZs4MNw3s by tek@freeradical.zone
2023-04-27T22:28:17Z
0 likes, 0 repeats
@acyberexpert I remember that! 20 minutes, average: https://www.theregister.com/2004/08/19/infected_in20_minutes/
(DIR) Post #AV5jQHeftKwQrvkqwa by nu@mastodon.nzoss.nz
2023-04-27T22:40:15Z
0 likes, 0 repeats
@tekThat's one of the awesome things about Tailscale, you don't need to run a public interface, and you can still push your service publicly if you want!