• 3 Posts
  • 57 Comments
Joined 1 year ago
Cake day: June 12th, 2023
  • taaz@biglemmowski.wintoSelfhosted@lemmy.worldWhat are common practice's for hardening/securing your server?English
    12·
    3 months ago

    I wouldn’t recommend putting ssh behind any vpn connection unles you have a secondary access to the machine (for example virtual tty/terminal from your provider or local network ssh). At best, ssh should be the only publicly accessible service (unless hosting other services that need to be public accessible).

    I usually move the ssh port to some higher number just to get rid of the basic scanners/skiddies.

    Also disable password login (only keys) and no root login.

    And for extra hardening, explicitly allow ssh for only users that need it (in sshd config).

  • taaz@biglemmowski.wintoSelfhosted@lemmy.worldNPM - What services need what toggled?English
    13·
    3 months ago

    I don’t use nginx proxy manager but websocket has to be enabled for apps that use websockets (duh) - you would have to dive into docs or example infra configs to check if the service uses it.
    Rule of thumb here would be to enable it for everything. Optionally you could check if the service works with/without it.

    E: Websockets are used when a website needs to talk in “real-time” with the servers - live views and graphs will usually use it also notifications, generally if the website does not reload/redraw fully but data seems to change then there is a high chance it uses websockets under the hood (but there are ways to do it without ws, ex. SSE).

    Example: Grafana uses websockets but qbittorrent web ui uses other means (SSE) and does not require ws.

  • taaz@biglemmowski.wintoSelfhosted@lemmy.worldLooking for a good, cheap backup solution.English
    13·
    3 months ago

    borg backup with rsync.net

    Borg does de-duplication and compression, I’ve used it for multiple things like backing up minecraft servers and it can reduce the final backup size by a lot (like 1-2 TBs to a hundred of GB, though that was with content that was highly compressible and didn’t change much over-time so the deduplication did a lot too).

    There is also borgbase.com which looks a bit better and focuses only on borg repositories instead of also being compatible with just about any usual tools (eg rsync, rclone etc)

  • taaz@biglemmowski.wintoSelfhosted@lemmy.world[Solved] Sudden IssuesEnglish
    4·
    3 months ago

    I would try momentarily replacing the defined dns servers with nameserver 1.1.1.1 and see if stuff improves, though the pull error would hint that docker did resolve the name but somehow didn’t get an answer.
    Hard to guess what else could be a problem apart from some obvious stuff - check if the internet connection is healthy and stable (ping, watch for spikes in ms or drops, also any outgoing firewall filters?)

  • taaz@biglemmowski.wintoFediverse@lemmy.worldRethinking Moderation: A Call for Trust Level Systems in the FediverseEnglish
    15·
    4 months ago

    I think your idea is not necessarily wrong but it would be hard to get right, especially without making the entry into fediverse too painful for new (non-tech) people, I think that is still the number one pain point.

    I have been thinking about moderation and spammers on fediverse lately too, these are some rough ideas I had:

    • Ability to set stricter/different rate-limits for new accounts - users older less then X can do only A actions per N seconds [1] (with better explained rate-limit message on the frontend side)
    • Some ability to not “fully” federate with too fresh instances (as a solution to note [1])
    • Abuse reputation from modlog/modlog sharing/modlog distribution (not really federation) - this one is tricky, the theory is that if you get many moderation actions taken against you your “goodwill reputation” lowers (nothing to do with upvotes) and some instances could preemptively ban you/take mod action, either through automated means or (better) the mods of other instances would have some kind of (easy) access to this information so that they can employ it in their decision.
      This has mostly nothing to do with bot spammers but instead with recurring problem makers/bad faith users etc.
      Though this whole thing would require some kinds of trust chains between instances, not easy development-wise (this whole idea could range from built-in algorithms taking in information like instance age, user count, user age and so on, to some kind of manual instance trust grading by admins).

    ~

    All this together, I wouldn’t be surprised if, in the future, there will eventually be some kinds of strata of instances, the free wild west with federate-to-any and the more closed in bubbles of instances (requiring some kind of entry process for other new instances).

    [1] This does not solve the other problem with federation currently being block-list based instead of allow-list based (for good reasons).
    One could write a few scripts/programs to simulate a federating instance and have tons of bots ready to go. While this exact scenario is probably not usual because most instances will defed. the domain the moment they detect bigger amount of spam, it could still be dangerous for the stability of servers - though I couldn’t confirm if the lemmy federation api has any kind of limits, can’t really imagine how that would be implemented if the federation traffic spikes a lot.

    (Also in theory one could have a shit-ton of domains and subdomains prepared and just send tons spam from these ? Unless there are some limits already, afaik the only way to protect from this would be to switch to allow-list based federation.)

    Lot of assumptions here so tell me if I am wrong!
    Edit: Also sorry for kind of piggy-backing on your post OP, wanted to get this ideas out here finally