Served in the Krogan uprisings. Now I run a podcast

https://bdsmovement.net/get-involved/what-to-boycott

  • 5 Posts
  • 46 Comments
Joined 2 years ago
Cake day: June 12th, 2023
  • JoeKrogan@lemmy.worldtoSelfhosted@lemmy.worldTwo VPNs?English
    1·
    4 months ago

    Well i have the rp as i only want one port exposed. I have separate networks per service too to isolate things. Only the things that need to talk to each other can.

    My stuff is only accessible on the lan and via the vpn and even then only certain ips have access to certain things.

    In your case it might be different , but generally a reverse proxy is better as you can have a single point of access to secure and you are not exposing all of your ports to the host or the internet.

  • JoeKrogan@lemmy.worldtoSelfhosted@lemmy.worldTwo VPNs?English
    4·
    4 months ago

    I have the arr stack connected to gluetun doing its thing and then wireguard on the host. I only expose my reverse proxy to the host and can connect to the services through that.

    Note the networks below, vpn_net allows it to talk to the gluetun network which has the other stuff. The gluetun and arr stuff are in a separate compose file that defines the network. Then the non vpn stuff connects to that network when it comes up

    nginx: 
    image: nginx:1.25.4-alpine-slim
    container_name: nginx
    restart: always
    volumes:
       - /etc/letsencrypt/:/etc/letsencrypt/
       - ./nginx/nginx.conf:/etc/nginx/nginx
       - ./nginx/conf/:/etc/nginx/conf.d/:ro
       - ./nginx/htpasswd:/etc/apache2/.htpasswd:ro
       -  /var/log/nginx:/var/log/nginx/
       - ./www/html/:/var/www/html/:ro
       - ./content/Movies:/var/www/media/Movies:ro
       - ./content/Shows:/var/www/media/Shows:ro
    ports:
       - 443:443
    security_opt:
      - no-new-privileges
    networks:
      - reverse-proxy_service1
      - reverse-proxy_serviceN
      - vpn-stack_vpn-net
    depends_on:
      - service1
      - serviceN
  • JoeKrogan@lemmy.worldtoOpen Source@lemmy.mlXZ Hack - "If this timeline is correct, it’s not the modus operandi of a hobbyist. [...] It wouldn’t be surprising if it was paid for by a state actor."
    121·
    2 years ago

    I’m curious to know about the distro maintainers that were running bleeding edge with this exploit present. How do we know the bad actors didn’t compromise their systems in the interim ?

    The potential of this would have been catastrophic had it made its way into the stable versions, they could have for example accessed the build server for tor or tails or signal and targeted the build processes . not to mention banks and governments and who knows what else… Scary.

    I’m hoping things change and we start looking at improving processes in the whole chain. I’d be interested to see discussions in this area.

    I think the fact they targeted this package means that other similar packages will be attacked. A good first step would be identifying those packages used by many projects and with one or very few devs even more so if it has root access. More Devs means chances of scrutiny so they would likely go for packages with one or few devs to improve the odds of success.

    I also think there needs to be an audit of every package shipped in the distros. A huge undertaking , perhaps it can be crowdsourced and the big companies FAAGMN etc should heavily step up here and set up a fund for audits .

    What do you think could be done to mitigate or prevent this in future ?