Post AXRuwF5HaHA3RJOmMS by Sabex@noagendasocial.com
 (DIR) More posts by Sabex@noagendasocial.com
 (DIR) Post #AXRVKQdpfVV9QRQo7c by eriner@noagendasocial.com
       2023-07-07T06:30:21Z
       
       2 likes, 0 repeats
       
       Of the recent mastodon vulnerabilities, the "possible" XSS vuln (CVE-2023-36459) was the most concerning.The other concerning vuln was an arbitrary file creation via media processing (CVE-2023-36460), however this issue never impacted NAS because of two mitigations I've had in place for years:* All UGC is hosted at a different origin which is not exempted by  CSP (and primary-domain cookie is set with explicit SameSite flag).* All application containers run with with read-only FS'.
       
 (DIR) Post #AXRVyJfmzpTpOeMn0i by eriner@noagendasocial.com
       2023-07-07T06:37:33Z
       
       1 likes, 1 repeats
       
       There was also a Denial-of-Service (DoS) vuln in the handling of outgoing HTTP requests (CVE-2023-36461).Similar in nature to the outgoing request DoS I reported back in 2018 (CVE-2018-21018): https://github.com/mastodon/mastodon/pull/9329That said, I've found worker process memory consumption/leaks to be a rather reliable DoS and am looking forward to the day that's fixed.
       
 (DIR) Post #AXRhyBaoEnC3mmk2JE by grapedrink@noagendasocial.com
       2023-07-07T08:51:59Z
       
       0 likes, 0 repeats
       
       @eriner TYFYC dude!
       
 (DIR) Post #AXRuBno2ffidW8BrHc by Pnakp@noagendasocial.com
       2023-07-07T11:08:55Z
       
       0 likes, 0 repeats
       
       @eriner I self host stuff for myself but I have no idea about the proper practices and tools for security etc. I've just piecemealed info together for the last few years to run my emby media server and nextcloud.What online courses or resources would you recommend for me to get up to speed on sys admin stuff (in my mind this is managing the server, knowing which tools are right for which situation, etc) (1/2)
       
 (DIR) Post #AXRuInR0S1ASOMkadE by Pnakp@noagendasocial.com
       2023-07-07T11:10:10Z
       
       0 likes, 0 repeats
       
       @eriner (2/2)  server security, and networking information such as application of reverse proxies (maybe this falls under security).I've got a background and degree in mechanical engineering so I have a foundation to build upon, just frustrating trying to piecemeal info together online. I guess that's why a structured degree at a university is beneficial?
       
 (DIR) Post #AXRug69b1Gpp6oiabw by Sabex@noagendasocial.com
       2023-07-07T11:14:23Z
       
       0 likes, 0 repeats
       
       @Pnakp @eriner change your SSH port. Learn something like Tripwire. Learn how to configure a firewall. Keep your shit up to date.
       
 (DIR) Post #AXRuwF5HaHA3RJOmMS by Sabex@noagendasocial.com
       2023-07-07T11:17:18Z
       
       0 likes, 0 repeats
       
       @Pnakp @eriner pick a web server and learn it well. Don't rely on internal servers - always put it behind a reverse proxy. If you have a choice, use sockets rather than ports. Watch the user accounts you set up and make sure they're not able to cause a privilege escalation.
       
 (DIR) Post #AXRwuJSKYiN2KMO2zI by Pnakp@noagendasocial.com
       2023-07-07T11:39:22Z
       
       0 likes, 0 repeats
       
       @Sabex changed my ssh port already and deactivated passwords - keys only. Tripwire being a commercial threat detection software for servers?I should look into the firewall bit. I know some but not enough. I have Debian set to security only auto updates, nextcloud does security updated automatically, emby I do manually because it doesn't offer such an option.
       
 (DIR) Post #AXRx8DKg7eR1OFR6jg by Pnakp@noagendasocial.com
       2023-07-07T11:41:53Z
       
       0 likes, 0 repeats
       
       @Sabex  Web server would be apache correct? Example of an internal server? Reverse proxies are something I'm still trying to wrap my head around. I think I need a more manual setup so I can actually learn the mechanics of it rather than something automated like caddy 2. Is ngnx pretty manual to setup for a reverse proxy?Never heard of sockets VS ports. Will investigate. Thanks for all the tips.
       
 (DIR) Post #AXSBgEWNbkS2HU1coK by IceCubeSoup@noagendasocial.com
       2023-07-07T14:24:51Z
       
       0 likes, 0 repeats
       
       @Pnakp @eriner > I guess that's why a structured degree at a university is beneficial?lol, no
       
 (DIR) Post #AXSCCf4aQO7VtdUKBc by eriner@noagendasocial.com
       2023-07-07T14:30:46Z
       
       0 likes, 0 repeats
       
       @IceCubeSoup @Pnakp fwiw I don’t have a degree in anything and am entirely self-taught. Free time and experimentation (tinkering) are the best teachers.As for how to learn, trial and error. Or, take an adversarial position against your own infra and see how far you can get.There are plenty of simulated lab-in-a-box’s online too. DVWA and the many, many similar projects comes to mind.
       
 (DIR) Post #AXSCxi7ysv48ysVixU by IceCubeSoup@noagendasocial.com
       2023-07-07T14:39:16Z
       
       0 likes, 0 repeats
       
       @eriner @Pnakp >  fwiw I don’t have a degree in anything and am entirely self-taught. Free time and experimentation (tinkering) are the best teachers.Exactly this.  Formal education is out of date before you can complete it.  Except for abstract fundamentals, which are timeless, but it's hard to appreciate the fundamentals until you've got quite a few years of experience.
       
 (DIR) Post #AXSYnuYvzoBldsqmXY by midway@soapbox.midwaytrades.com
       2023-07-07T18:44:00.708998Z
       
       0 likes, 0 repeats
       
       Nginx is quite configurable and not that hard to learn for most services. Plus there’s a ton of examples out there from which to learn.  I run 7 or 8 small services behind an nginx instance running in a small lxc container. Works great.