Yeah I know (I mentioned it myself in the post), but realistically there is no much you can do besides upgrading. Unattended upgrades kick in once a day and you will install the security patches ASAP. There are also virtual patches (crowdsec has a virtual patch for that CVE), but they might not be very effective.
I argue that VPN software is a smaller attack surface, but the problem still exists (CVEs) for everything you expose.
AFAIK I know that SSH has MaxAuthTries and LoginGraceTime, but all it does is terminating the SSH session (I.e. slow down at most), it won't block the IP via firewall or configuration.
Not sure if there is a recent feature that does the same.
Yeah, what I mean is that it's useless using ports like 2222, that's like the unofficial SSH port!
Bots are generally harmless (once you move to key auth), and you get functional the same result with the automatic IP ban on failed auth, minus the bother to change client configurations to your custom port. Anyway, if someone does want cleaner logs, changing port works :)
Also hypervisors get escape vulnerabilities every now and then. I would say that in a realistic scale of difficulty of escape, a good container (doesn't matter if using Docker or something else) is a good security boundary.
If this is not the case, I wonder what your scale extremes are.
A good container has very little attack surface, since it can have almost no code or tools available, a read-only fs, no user privileges or capabilities whatsoever and possibly even a syscall filter.
Sure, the kernel is the same but then the only alternative is to split that per application VMs-like) and you move the problem to hypervisors.
In the context of this asked question, I think the gains from reducing the attack surface are completely outweighed from the loss in functionality and waste of resources.
Additional bonus: proxies that interact with the docker API directly (I think also caddy can do it) save you from exposing the services on any port at all (only in the docker network). So it's way less likely to expose a port with a service by mistake and no need for arbitrary and unique localhost ports.
There is a list on this page of compatible services. If you don't want to use one more service (DNS), you can use a domain registrar with an API (like porkbun) and find online tools that work with that.
Be aware of the risks of hosting your websites publicly from home, make sure to run them in very isolated environments. Having your VPS compromised is bad, but having your home network compromised is much worse!
Fair question. What I meant is that suggesting that would have made the whole post 10 lines long and not worth doing.
So I avoided such suggestions that completely change the threat model.
It's not useless to avoid a good security posture (although you might have concerns of a monopoly gatekeeping the internet, TLS traffic inspection privacy concerns etc.), on the contrary makes everything I have written about here redundant (+ provide more, like DDoS protection) as you are outsourcing the security controls.
Yep I agree. Especially looking at all the usernames that are tried. I do the same and the only risk come from SSH vulnerabilities. Since nobody would burn a 0-day for SSH (priceless) on my server, unattended upgrades solve this problem too for the most part.
That is basically the essence of this post too! Except crowdsec is used to do what fail2ban does + some light form of WAF (without spinning another machine - which is not strictly needed for a WAF, you can use owasp modsecurity-ready proxies).
Thanks! I did mention this briefly, although I belong to the school that "since I am anyway banning IPs that fail authentication a few times, it's not worth changing the port". I think that it's a valid thing especially if you ingest logs somewhere, but if you do don't choose 2222! I have added a link to shodan in the post, which shows that almost everybody who changes port, changes to 2222!
Yes, pretty much that. Plus some configuration might be easier with a DNS hosting. But the main benefit is decoupling domain and DNS for easier change.
I thought my API keys were expired, I regenerated them, changed a couple of things, checked all API calls to see if they changed API itself...then I searched the exact error and found out.
For such a breaking change to the API, was it hard to drop an email to every account not meeting the damn "requirements" with an API call performed in the last x months, to alert of the change?
Yep, I like bunny in fact. It didn't have all the features I needed back then, but it's a very good product, I heard very good things.
I also agree about the pricing. I ended up not using desec.io, but if I did, I would have probably set a 1-2 Euros recurring donation, as I feel that's a totally acceptable price.
As for why people use GoDaddy well... I feel personally attacked as that's exactly how I ended up there, when I didn't know better.
I also use porkbun, their API is not a masterpiece but it works and allows you to get, set and update records. In fact their API is now supported by some of the common ddns scripts out there.
That's a very interesting gotcha. They don't seem to support address ranges either. Unless once you add the whitelist the requests still work from any address (their documentation is ambiguous).
This is even more confusing.
Desec.io is a good option. To be honest using cloudflare just for DNS is completely OK. It's not a service that allows spying on you or consolidates their monopoly.
I also migrated everything to Porkbun. Gandi used to be good too, we used it extensively at work in my previous org (~3 years ago).
Is the whole sector regressing? It seems these companies aren't happy just earning a profit based on the service they offer. There is always something "more" that they need to do. Often this makes the experience worse. Meh.
Super happy with Porkbun BTW, it just works, does what it's needed and I found the renewals to be 50% cheaper compared to GoDaddy...
Yeah I know (I mentioned it myself in the post), but realistically there is no much you can do besides upgrading. Unattended upgrades kick in once a day and you will install the security patches ASAP. There are also virtual patches (crowdsec has a virtual patch for that CVE), but they might not be very effective.
I argue that VPN software is a smaller attack surface, but the problem still exists (CVEs) for everything you expose.