Comment

Comment on Is it normal to not have any malicious login attempts?

Shimitar@downonthestreet.eu ⁨1⁩ ⁨week⁩ ago

Yes. The fearmongering of the security freaks is not necessarily true. We selfhosters are not big targets and nobody cares about our files or our devices.

Of course, until you get hacked.

But beside SMTP and ssh and known services like WordPress or PrestaShop there is little actual brute force bots trying hard.

source

Sort:hotnew top

greyfox@lemmy.world ⁨1⁩ ⁨week⁩ ago
Agreed. The nonstandard port helps too. Most script kiddies aren’t going to know your service even exists.

Take it another step further and remove the default backend on your reverse proxy so that requests to anything but the correct DNS name are dropped (bots just are probing IPs) and you basically don’t have to worry at all. Just make sure to keep your reverse proxy up to date.

The reverse proxy ends up enabling security through obscurity, which shouldn’t be your only line of defence, but it is an effective first line of defence especially for anyone who isn’t a target of foreign government level of attacks.

Adding basic auth to your reverse proxy endpoints extends that a whole lot further. Form based logins on your apps might be a lot prettier, but it’s a lot harder to probe for what’s running behind your proxy when every single URI just returns 401. I trust my reverse proxy doing basic auth a lot more than I trust some php login form.

I always see posters on Lemmy about setting up elaborate VPN setups for as the only way to access internal services, but it seems like awful overkill to me.

VPN still needed for some things that are inherently insecure or just should never be exposed to the outside, but if it is a web service with authentication required a reverse proxy is plenty of security for a home lab.

source
- Shimitar@downonthestreet.eu ⁨1⁩ ⁨week⁩ ago
  100% agree.
  
  One point: use an SSO like authelia or authentic. Way better than basic auth and you get the fancy login form too preserving all the benefits, and you can also use OIDC with those services that require more complex setup for proper auth
  
  source
Vendetta9076@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
I had three thoughts in rapid succession.

that’s a dangerous line of thinking

I wonder who these security freaks are

looks at honeypot Oh no IM the security freak.

That being said fearmongering is bad. Give people actual facts and let them decide for themselves.
source
- Shimitar@downonthestreet.eu ⁨1⁩ ⁨week⁩ ago
  LOL you madre me laugh…
  
  Anyway being security conscious is important, and better be safe than sorry…
  
  source