IanTwenty
@IanTwenty@lemmy.world
- Comment on Securing a 'public' service for family 1 week ago:
Was this comment meant for a different conversation? We’re talking about VPNs here.
- Comment on Securing a 'public' service for family 1 week ago:
I’ve got probably 30+ households of people and multiply that by number of devices…this is also something that will only be live for 12 months maybe. I think if I was doing something long-lived it might be worth the effort to get everyone onto VPN but for this…just can’t justify the time. Thanks anyway.
- Comment on Securing a 'public' service for family 1 week ago:
Hey thanks for this. Yep I’ve got too many users and most are not technical so it’s just a huge headache to get them all onto VPN not matter how simple. That said I’d consider tailscale/funnel for other projects and it’s always good to hear what others are using.
- Comment on Securing a 'public' service for family 1 week ago:
👍 looks like its fairly easy to add something like ModSecurity WAF to nginx
- Comment on Securing a 'public' service for family 1 week ago:
Thought process is: Peertube or some other service’s first job is the purpose for the service, so security likely won’t be as good as a service who’s first job is security.
Really good point. I see many selfhost instructions now that say ‘we don’t bother with HTTPS, just use a proxy to handle that’ and maybe auth should go the same way as in there’s good solutions that specialise in auth so it’s not worth each project doing it themselves.
apps can’t deal with hitting Authentik 1st afaik
Another good consideration. There is an early Peertube app but I doubt my users will be using it, web access is fine for this. Perhaps apps for things like Lemmy/Mastodon/Peertube etc will need to work better with these auth frontends in future.
- Comment on Securing a 'public' service for family 1 week ago:
Thanks for this suggestion - this is interesting because it looks like pangolin combines almost all the measures mentioned so far here apart from Anubis: auth provider with one-time email passcodes, geoip blocking, crowdsec plus bonus automated cert handling. It does look like it does nearly everything in one package and I can pay for them to host it for me if I don’t want to selfhost those parts. Strong contender!
- Comment on Securing a 'public' service for family 1 week ago:
Really good point. I can definitely restrict to one country and anyone using their own VPNs/TOR/whatever will be sophisticated enough to understand why its restricted and how to keep their access.
- Comment on Securing a 'public' service for family 1 week ago:
Super useful thanks!
- Comment on Securing a 'public' service for family 1 week ago:
Good to hear Anubis is effective - I would hope that takes the site out of the ‘easy target’ sort of category and most bots give up. Yeah I think monitoring is gonna be key to keep an eye on threats. Thanks!
- Comment on Securing a 'public' service for family 1 week ago:
I had to look up NPM as in my head it’s NodeJS Package Manager but TIL there’s also Nginx Proxy Manager!
I like your VPN solution for a small group and actually tying it to their home network/router could make sense and further restrict attacks I have to deal with. However in my case I could be dealing with 30+ households of users and as others say I am bound to get people on mobiles complaining they can’t access it. However noted for future projects.
- Comment on Securing a 'public' service for family 1 week ago:
That’s a great suggestion, then I’m not relying just on the app/service to have super secure auth.
- Comment on Securing a 'public' service for family 1 week ago:
Hey thanks for these links I will check them out! Magic links would be great actually as then I am not relying on them to set decent passwords or giving them burden of TOTP/etc which some may not have used before.
- Submitted 2 weeks ago to selfhosted@lemmy.world | 37 comments
- Comment on Uptick in inflammatory posts 3 weeks ago:
- Submitted 1 month ago to selfhosted@lemmy.world | 15 comments
- Comment on Creating similar service to AlternativeTo 1 month ago:
An example site that takes user submissions and is not a wiki:
github.com/nerdydaytrips/website
Users submit a form that is turned into a github PR, hosted with cloudflare worker. Site itself is completely static, made with hugo. The data about each map pin is simply key/value in the frontmatter of a markdown file:
github.com/…/1066-battle-of-hastings.md
Simple but effective and can be styled however you need (hugo has themes). Moderation can scale by adding more contributors who can merge PRs.
- Comment on Your household smart products must respect your privacy – including your air fryer 2 months ago:
‘Last year, we asked the public for their views on smart products in a series of workshops. People shared concerns that products collect too much personal information, and said that they feel powerless to control how their data is used and shared’
Thank you to these people!
- Comment on We Should Immediately Nationalize SpaceX and Starlink 2 months ago:
I’m checking this out!
- Comment on Syncthing alternatives 2 months ago:
…could it be your phone’s storage is failing then?
- Comment on Looking for a DMARC processor that alerts me for failures 3 months ago:
I have not yet had a chance to try it but there’s this:
domainaware.github.io/parsedmarc/
Currently I use my own Python script to do some basic reporting but would rather pool effort.
- Comment on Ideal Business Stack? 3 months ago:
I don’t see anyone talking about the human side so I’ll ask - what is the appetite for change? I can see you yourself are motivated and that’s great. How do you feel the attitude is with the others there? Migrating a company that’s been working analogue for decades sounds like a big change programme regardless of the tech choices you ultimately make. This sounds like process change as well as technology change and that requires using another set of skills to wrangle the people.
I would advise to pick a small area first that’s causing the most pain but also very amenable to common tech most people are already familiar with and is only a small change to existing processes. Get an early visible success.
The photo management might be a good start as we all are used to these apps on our phones and the tech is mature and easy to find in FOSS.
Everyone loves Immich though it has some big warnings on its github page about its own maturity. Maybe something simpler: just file/photo synching and a shared gallery? It can always be upgraded in future. Syncthing is solid, some kind of NAS and one of the older/mature galleries running on top. Get your backup process nailed down and run a real recovery process before too many photos are at stake.
Anyway it sounds exciting and kudos to you for looking to FOSS. Good luck!
- Comment on CVE Board members launch the CVE Foundation, a dedicated, non-profit to continue identifying vulnerabilities, after the US ended its contract with Mitre 4 months ago:
There is some distribution of effort/expertise at least:
When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.
- Comment on How do I use HTTPS on a private LAN without self-signed certs? 4 months ago:
Not on Firefox, some site functionality is disabled: medium.com/…/the-ultimate-newbie-guide-for-self-s…
- Comment on How do I use HTTPS on a private LAN without self-signed certs? 4 months ago:
I know what you mean but using real self-signed certificates (i.e. no CA at all) with modern browsers causes so many issues I find them unusable.
- Comment on How do I use HTTPS on a private LAN without self-signed certs? 4 months ago:
I’ll mention this as no one has yet but you can be your own CA. Tools like mkcert make it easy
This is potentially more hassle (than using public DNS) as you have to get your CA certs onto every device. However it may be suitable depending on the situation.
- Comment on Google Chrome disables uBlock Origin for some in Manifest v3 rollout 5 months ago:
If you have the time try the troubleshoot mode to help figure it out - add ons are often the cause
- Comment on Do you selfhost your own blog/website? 10 months ago:
You can do the same with GitLab as another option, it supports custom domains too.