kristoff

@kristoff@infosec.pub

This is a remote user, information on this page may be incomplete. View at Source ↗

selfhosted service to share files to SSO-authenticated users ?
Submitted ⁨⁨10⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨4⁩ ⁨comments⁩
⁨Comment⁩ on ⁨what if your cloud=provider gets hacked ?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
What was that saying again?

“the biggest thread to the safety and cybersecurity of the citizens of a country … are managers who think that cybersecurity is just a number of an exellsheet”

(I don’t know where I read this, but I think it really hits the nail on the head)
⁨Comment⁩ on ⁨what if your cloud=provider gets hacked ?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
I have been thinking the same thing.

I have been looking into a way to copy files from our servers to our S3 backup-storage, without having the access-keys stored on the server. (as I think we can assume that will be one of the first thing the ransomware toolkits will be looking for).

Perhaps a script on a remote machine that initiate a ssh to the server and does a “s3cmd cp” with the keys entered from stdin ? Sofar, I have not found how to do this.

Does anybody know if this is possible?
⁨Comment⁩ on ⁨what if your cloud=provider gets hacked ?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
Yes. Fair point.

On the other hand, most of the disaster senarios you mention are solved by geographic redundancy: set up your backup // DRS storage in a datacenter far away from the primary service. A scenario where all services,in all datacenters managed by a could-provider are impacted is probably new.

It is something that, considering the current geopolical situation we are now it, -and that I assume will only become worse- that we should better keep in the back of our mind.
⁨Comment⁩ on ⁨what if your cloud=provider gets hacked ?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
In this case, it is not you -as a customer- that gets hacked, but it was the cloud-company itself. The randomware-gang encrypted the disks on server level, which impacted all the customers on every server of the cloud-provider.
⁨Comment⁩ on ⁨what if your cloud=provider gets hacked ?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
The issue is not cloud vs self-hosted. The question is “who has technical control over all the servers involved”. If you would home-host a server and have a backup of that a network of your friend, if your username / password pops up on a infostealer-website, you will be equaly in problem!
⁨Comment⁩ on ⁨what if your cloud=provider gets hacked ?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
Well, the issue here is that your backup may be physically in a different location (which you can ask to host your S3 backup storage in a different datacenter then the VMs), if the servers themselfs on which the service (VMs or S3) is hosted is managed by the same technical entity, then a ransomware attack on that company can affect both services.

So, get S3 storage for your backups from a completely different company?

I just wonder to what degree this will impact the bandwidth-usage of your VM if -say- you do a complete backup of your every day to a host that will be comsidered as “of-premises”
what if your cloud=provider gets hacked ?www.bleepingcomputer.com ↗
Submitted ⁨⁨10⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨35⁩ ⁨comments⁩
⁨Comment⁩ on ⁨authentik .. backup and/or syncronisation ?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
First of all, thanks to all who replied! I didn’t think there would have been that many people who self-host a SSO-server, so I am happy to see these replies.

As a side-note, I have also been looking into making the setup more robust, i.e. add redundancy. For a “light redundant” senario (not fully automatic, but -say- where I have a 2nd instance ready to run, so I just need to adapt the DNS-record if it is needed), can I conclude from the “makeing a backup” question, that I just need to run a 2nd instance of postgres and do streaming-replication from the main instance to the backup-instance ?

Or are there other caviats I haven’t thought about?
⁨Comment⁩ on ⁨authentik .. backup and/or syncronisation ?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
Great thanks! (also thanks to Mike … you have some valid points)
authentik .. backup and/or syncronisation ?
Submitted ⁨⁨10⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨3⁩ ⁨comments⁩
⁨Comment⁩ on ⁨jitsi .. redundant setup ?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
For me, the first goal is to simply understand the setup. I now have been able to create a setup with two frontend jvb-instances and one backend. In the end, the architecture setup of a jitsi-server is quite nicely explained, and -by delving a little bit into the startup scripts of the docker-based jitsi setup, you do get some idea of how things fit together.

From a practicle point of view, I think I’ll go for the basic setup (1 backend, 2 frontends) natively on two servers, and -if the backend server would go down- just have a dockerised backup-setup ready to go if it would be needed.

Thanks!
jitsi .. redundant setup ?
Submitted ⁨⁨11⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨2⁩ ⁨comments⁩
⁨Comment⁩ on ⁨just to be sure, when setting up nextcould i need to purchase a domain name?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Hi,

Good idea!

And once you have you domainname, you can do the following:

. set up a reverse reverse proxy (apache, nginx) in front of nextcloud . in the configuration of apache/bginx use virtual hosts.
- make sure that the default virtualhost (in apache, that is the the one that does not have “ServerName”) first in the configuration. Point that to a local website with just an empty directory
- then, AFTER the default virtual host, add the reverse-proxy configuration of your nextcloud instance.
What this does, is that if somebody addresses your website with a URL that does not contain the exact hostname of your nextcloud, the webquery will go to the empty website and simply return a 404 So, a hacker who does a webrequest to “/login” will just get a “404 not found” and not reach your nextcloud instance.

This keeps people who just scan the internet for vulnerable systems and try out all kind of URLs to try to get in out of your nextcloud.

Of course, this only works if you keep the full hostname of your instance to yourself and do not post it somewhere (including social media, mailing-lists, …)

Good luck with your nextcloud server
⁨Comment⁩ on ⁨just to be sure, when setting up nextcould i need to purchase a domain name?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
for the nextcloud instance on my local LAN , I use the .local domain (multicast DNS). Just enable avahi on your server and you can use hostname.local on your network without having to deal with local DNS on your router and so on.
⁨Comment⁩ on ⁨just to be sure, when setting up nextcould i need to purchase a domain name?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Hi,

What is the reason you do not want a domain? it is not that DNS-domains are that expensive these days. The cheapest option I found is .ovh (which is one of the major cloud-providers in France), which is 3 euro / year (+VAT). You can then put as much hosts or subdomains under it, and it supports dynamic IP.

Agreed, .ovh is not the most “professional” looking domain, but it depends on what you want to do. If your goal is simply to have something for yourself / family / friends, then this is good enough.

BTW. Having your own domain for a nextcloud instance has additional its advance, like you can get a real https/tls certificate from letsencrypt, and -if you put a reverse DNS in front of your NC- it shields you from people who just scan the complete IP-space of the internet but who do not know your domain.
⁨Comment⁩ on ⁨Jitsi meet...what are the advantages of self-hosted in this case?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Hi,

I have also been thinking about selfhoating a jisti-meet server. Just how easy / difficult is it to selfhost it? Do you run it in docker or natively? Linux or some other OS (FreeBSD)?

Kr.