confusedpuppy

@confusedpuppy@lemmy.dbzer0.com

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Self hosting Sunday! What's up, selfhosters?s⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
I bought a second USB SSD which has now become the second backup SSD. I ended up skipping my switch to Podman because I got invested in writing another script.

I’m not interested in having my backup drives automatically decrypt and mount at startup but those were the only guides I could find. I still want to manually type my password and wanted an easier way handle that.

I ended up writing this script which turned the 4 lines of code I was using before into a 400+ line single file script.

Once I pair it with my rsync script, I’ll be able to remotely, automatically and interactively decrypt, mount, update my backup, unmount and re-encrypt my USB SSD. The script also has tests to make sure the mount directory is ready for use and not sending anything with rsync if the encrypted SSD is not mounted. I just finishes writing the script and now I have to integrate it into my systems.

I was originally going to add the second backup to my local-only network Pi server but I think I’ll add it to my web facing Pi server so I am able to access it remotely. I would feel a lot more comfortable knowing that data on there isn’t easily accessible because it’s not auto-mounting.

Other than that, things are boring and boring is good.
⁨Comment⁩ on ⁨How often do you update software on your servers?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
apk seems to have some tricks in there that aren’t as well known.

I managed to catch in the IRC channel that apk add doc will automatically download any related man pages for packages with any future downloads through apk. That made life a bit more convenient instead of downloading all those packages separately.
⁨Comment⁩ on ⁨How often do you update software on your servers?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
My web facing server has just enough packages installed to (kinda securely) host a Caddy and Kiwix docker container to work with my domain name and make a comfortable work environment through SSH. My Pi for my HomeAssistant docker container has less because it’s locked down to just my local network.

I also wrote my own install scripts so reinstalling everything and getting it back to a running state would take about 15 minutes for each device.

And I also wrote my own backup/restore scripts that evolved over 3/4 of a year. I use them often so I have confidence in those scripts.

I personally don’t really care too much. I have multiple ways of dealing with issues for something that’s a hobby to me. Which is why I stick to simplicity.

I’m sure this is a thing for people to worry about when dealing with more complex setups. I just wanna vibe out in my tiny corner of the internet.
⁨Comment⁩ on ⁨How often do you update software on your servers?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
On Alpine Linux I update my two Pi servers at 2 in the morning daily. It’s simpler compared to Debian which needs unattended-updates. Just add apk update && apk upgrade to a cron job and you’re good to go.

I only have three docker services which is simple enough to update manually.

I like to keep things as simple as possible for my already chaotic brain.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I’ve read about that and I already have that in my notes as well.

It doesn’t really affect my needs because my ISP blocks incoming on those ports anyways. Also I’m choosing not to use a tunnel at the moment so I’ll be using a higher port anyways.

The last time I asked about it, a few people seemed to agree it was something to do with the firewall settings. That seems most likely since I was able to connect when I disabled my firewall. I’m not a fan of working with iptables. The language for that type of networking is gibberish to me.

I had also tried going from docker compose to rootful podman compose and ran into the same issue. Although I’m trying to work away from podman compose in the future, just taking it in steps.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Yeah, I mainly just want to move away to more open projects. When I first started, everyone kept suggesting using Cloudflare. After half a year using their service, I just felt icky the entire time.

In the past couple months I was able to move away and chose to protect myself by learning how to harden my server as well as hiding my server behind multiple layers of obscurity.

With my current setup, the only site traffic I get has only been myself and my custom ssh port only gets hit by bots about 3-10 times a week according to my logs. Only time will tell how effective my layers of obscurity will hold up but so far it seems to satisfy my needs better than I was expecting.

Once I get podman in a state I like, I’ll pretty much be all open sourced and all I’ll have to do for myself is be in maintenance mode unless I care to add a new service. I like to keep things simple so I don’t normally go crazy adding new services anyways.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Thank you for the offer. I still need a bit more more time to experiment and zero in on the issue again. Fortunately my setup is quite simple and the only bottleneck will be Caddy.

I basically run Caddy which redirects to a static generated blog, simple file server page and a Kiwix instance. I’m mostly making a self hosted reference site of materials for Linux and Scripting resources.

One day I may add a Forgeo instance but currently my entire workflow exists around rsync. I’m happy just having my single file scripts hosted as text files and don’t really need the power of git. At least not at the moment.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I’ve been making another attempt to replace Docker with Podman. The issue is I can’t connect to my server through a web browser. I think it’s a firewall issue.

Networking and networking troubleshooting is a bit confusing for me and that’s the least favourite part about self hosting for me. Turns out I actually enjoy writing scripts more and the challenge of writing POSIX scripts especially.

If I can figure it out, I’ll probably write a guide for setting up Podman and Caddy on Alpine Linux since there isn’t a lot of recent information out there from what I found in my searches so far.
Big and Smellylemmy.dbzer0.com ↗
Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ to ⁨mycology@mander.xyz⁩ | ⁨1⁩ ⁨comment⁩
⁨Comment⁩ on ⁨⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I use rsync for many of the reasons covered in the video. It’s widely available and has a long history. To me that feels important because it’s had time to become stable and reliable. Using Linux is a hobby for me so my needs are quite low. It’s nice to have a tool that just works.

I use it for all my backups and moving my backups to off network locations as well as file/folder transfers on my own network.

I even made my tool (codeberg.org/taters/rTransfer) to simplify all my rsync commands into readable files because rsync commands can get quite long and overwhelming. It’s especially useful chaining multiple rsync commands together to run under a single command.

I’ve tried other backup and syncing programs and I’ve had bad experiences with all of them. Other backup programs have failed to restore my system. Syncing programs constantly stop working and I got tired of always troubleshooting. Rsync when set up properly has given me a lot less headaches.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I think I am already doing that. My Kiwix docker container port is set to 127.0.0.1:8080:8080 and my reverse proxy is only open to port 12345 but will redirect kiwi.example. com:12345 to port 8080 on the local machine.

I’ve learned that docker likes to manipulate iptables without any notice to other programs like UFW. I have to be specific in making sure docker containers only announce themselves to the local machine only.

I’ve also used this guide to harden Caddy and adjusted that to my needs. I took the advice from another user and use wildcard domain certs instead of issuing certs for each sub domain, that way only the wildcard domain is visible when I search it up at https://crt.sh/. That way I’m not advertising my sub domains that I am using.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I started with a local scan first, something like nmap 192 168.40.xxx for a specific device or nmap 192.168.40.0/24 for everything in your current network.

Nmap is quite complex with lots of options but there’s a lot of guides online to help out with the basics. You can press enter in your terminal while the scan is running and it should give a progress report.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
My ISP blocks incoming data to common ports unless you get a business account. That’s why I used Cloudflare’s tunnel service initially. I changed my plans with the domain name I currently own and I don’t feel comfortable giving more power and data to an American Tech company so this is my alternative path.

I use Caddy as my reverse proxy so I only have one uncommon port open. My plans changed from many people accessing my site to just me and very few select friends of mine which does not need a business account.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I get that.

I was generally speaking about all my devices. If someone stole my computer, the full disk encryption is more of a deterrence than the idea of my data being fully secured. My hope is that the third party is more likely to delete than to access. If I catch the attention of someone that actually wants my data, I have bigger issues to worry about than security of my electronic devices.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I agree with the last point, I only mentioned that because I don’t really know what other setting in my SSHD config is hiding my SSH port from nmap scans. That just happened to be the last change I remember doing before running an nmap scan again and finding my SSH port no longer showed up.

Accessing SSH still works as expected with my keys and for my use case, I don’t believe I need an additional passphrase. Self hosting is just a hobby for me and I am very intentional with what I place on my web facing server.

I want to be secure enough but I’m also very willing to unplug and walk away if I happen to catch unwanted attention.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
Thanks for the insight. It’s useful to know what tools are out there and what they can do. I was only aware of nmap before which I use to make sure the only ports open are the ports I want open.

My web facing device only serves static sites and a file server with non identifiable data I feel indifferent about being on the internet. No databases or stress if it gets targeted or goes down.

Even then, I still like to know how things work. Technology today is built on so many layers of abstraction, it all feels like an infinite rabbit hole now. It’s hard to look at any piece of technology as secure these days.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I use a different port for SSH, I also have use authorized keys. My SSHD is setup to only accept keys with no passwords and no keyboard input. Also when I run nmap on my server, the SSH port does not show up. I’ve never been too sure how hidden the SSH port is beyond the nmap scan but just assumed it would be discovered somehow if someone was determined enough.

In the past month I did rename my devices and account names to things less obvious. I also took the suggestion from someone in this community and setup my TLS to use wildcard domain certs. That way my sub domains aren’t being advertised on the public list used by Certificate Authorities. I simply don’t use the base domain name anymore.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
Early when I was learning self hosting, I lost my work and progress a lot. Through all that I learned how to make a really solid backup/restore system that works consistently.

Each device I own has it’s own local backup. I copy those backups to a partition on my computer dedicated to backups, and that partition gets copied again to an external SSD which can be disconnected. Restoring from external SSD to my Computer’s backup partition to each device all works to my liking. I feel quite confident with my setup. It took a lot of failure to gain that confidence.

I also spent time hardening my system. I went through this Linux hardening guide and applied what I thought would be appropriate for my web facing server. Since the guide seems more for a personal computer (I think), the majority of it didn’t apply to my use case. I also use Alpine Linux so there was even less I could do for my system but it was still helpful in understanding how much effort it is to secure a computer.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
That’s been my main goal throughout securing my personal devices including my web facing server. To make things inconvenient as possible for potential outside interference. Even if it means simply wasting their time.

With how complex computers and other electronic devices have become, I never expect anything I own to be 100% secure even if I take steps I think will make me secure.

I’ve been on the internet long enough to have built a habit of obscuring my online or digital presence. It won’t save me but it makes me less or a target.
Do bots/scrapers check uncommon ports?
Submitted ⁨⁨5⁩ ⁨weeks⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨33⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Looking for a simple personal homepage⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I found BashWrite which is just a very simple static site generator written completely in bash as a single file script.

The only dependency is having an up-to-date sed command which most systems should have. I use Alpine Linux which comes with a minimal sed command so I had to download the full command through my package manager.

It’s simple, basic and had support for the majority of markdown formatting. There’s some limitations due to it being written in Bash only but I am personally okay with that.

I found it on this list of static site generators if you’re curious to see more options.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
It looks interesting and seems like it would be easy to set up. I’ll play with it and see how I like it. Thanks for the suggestion
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Since my logs barely move, I just made aliases to where the logs are so it’s quick display and scan them within the terminal. I’m basically just viewing the system logs, fail2ban log and Caddy’s log so it’s fairly quick and simple for me.

The only change I’d like to do is change the output of Caddy’s log file so it’s not a long single line of information per output. I’ll have to do a bit more reading on that so I know what information I want to keep and how I want to visually organize it. At least for the moment, I am familiarising myself with what I am looking at and am slowly figuring out what information is relevant to me.

I like to keep my systems as simple and lean as possible which seems to strongly reflect my general approach to life. I find that kind of interesting.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I feel like my little Pi server is set up nicely now. At least I’m at the point where I’m not concerned about technically maintaining it. It’s as secure as I want it to be and I’ve tweaked my maintenance scripts slightly to avoid any unexpected issues.

I tried installing snikket but I couldn’t figure out how to get it to work with my Caddyfile using my current wildcard domain cert configuration. I’ll try again another time when I’m motivated again. It’s a low priority to me.

The last changes I made were adding logs and making them accessible to myself. So far they are all boring and predictable. Which is good news. It’s also nice to see that I’m the only person accessing it. The bots haven’t found my little corner of the internet yet.

Right now I’m taking a break from self-hosted stuff to work on my gardens and two artsy projects. A wooden carving for a friend’s birthday and an overly complicated shell script that has no real purpose. Although I’ve learned lots from it already so it’s not a complete waste of time.
⁨Comment⁩ on ⁨Data Backup Solutions⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I use rsync too. It’s older and from what I understand was designed at a time when data storage was much smaller so it may not be as fast as other backup options. It also doesn’t have encrypted backups like other backup options (I think).

Rsync has been the most reliable option for me though. Every syncing option I’ve tried seems too complicated and breaks down every time I look away. Since my entire backup size is around 550gb and I’m not concerned with encrypted backups, I think rsync just works just fine.

I even created my own tool that puts my rsync commands into easy to read/modify files so I can organize my most common transfers. I can easily backup my phone, HomeAssistant server, home server and computer to my two backup locations in a single alias or cronjob now.

A bit of a pain to learning how to make proper backups that restore successfully every time, but once I figured it out, I’ve been very confident in my backup strategy.
⁨Comment⁩ on ⁨Selfhosting Sunday - slrpnk edition⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I was planning on using weechat and the relay extension for a simple, all-in-one package. Currently I just use IRC for tech support, especially with Alpine linux.

Biboumi seems like a good idea if I wanted to set up a server and I’ll keep it bookmarked. I’m still back and forth about an IRC server so that idea has gone into the bonus category for now. I think Snikket would be a service that’s far more accessible and easier to share with the people I want using it.

I do like that it has xmpp support. I assume it would go well with Snikket.
⁨Comment⁩ on ⁨Selfhosting Sunday - slrpnk edition⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I’ve decided to stop using Podman for the moment since it was not allowing me internet to access my services. I’ll try again later when the motivation comes back.

Other than that, I’ve been slowly working on security, reliability and maintenance. For the moment I am happy with my device’s own security which I just finished last week. If I need extra securitybat this point, it will most likely be from a third party service but I don’t intend on having a known presence so I may get by just being unknown and obscure.

Ddclient on Alpine linux works very strangely so I made a script to check that it’s still updating my IP address and force restart it if necessary. Combined it with my targetted backups script to make the beginning of a maintenance script.

The last two steps are to setup an IRC client + IRC bouncer and a Snikket service and I’ll be happy. Anything I add after that is simply a bonus I can tinker with for fun but I’m looking forward writing for my blog without technical issues floating in the back of my mind.
⁨Comment⁩ on ⁨irl shiny⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I was staying at a hostel in Sydney and It was just me and English girl just chilling in the common area. It was sort of exposed to the outdoors since there was no doors, just an entrance. It just lead to the sheltered outdoor area but each dorm room had their own heavy door.

We both found out that day that the big roaches that roam there knew how to fly. Not well. Like it struggled to carry it’s own weight. We both had time to react and do something. We both just watched in horror as it flew right into her hair.

⁨Comment⁩ on ⁨Can't access exposed rootful podman container from outside of host device⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:

podman ps shows the following:

CONTAINER ID  IMAGE                                 COMMAND               CREATED         STATUS         PORTS                                                         NAMES
daae60bdcc65  docker.io/library/caddy-caddy:latest  caddy run --confi...  47 minutes ago  Up 47 minutes  0.0.0.0:80->80/tcp, 0.0.0.0:5050->443/tcp, 2019/tcp, 443/udp  caddy

netstat -tunpl shows the following:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5025            0.0.0.0:*               LISTEN      3270/sshd: /usr/sbi 
tcp        0      0 0.0.0.0:5050            0.0.0.0:*               LISTEN      7342/conmon         
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      7342/conmon         
tcp        0      0 10.89.0.1:53            0.0.0.0:*               LISTEN      7336/aardvark-dns   
tcp6       0      0 :::5025                 :::*                    LISTEN      3270/sshd: /usr/sbi 
udp        0      0 10.89.0.1:53            0.0.0.0:*                           7336/aardvark-dns

The only difference for the netstat command between Docker and Podman is that Podman show’s entries for aardvark-dns and Docker does not which is something I expect.

Can't access exposed rootful podman container from outside of host device
Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨5⁩ ⁨comments⁩