16
macbury
4y

Github is again down, I wonder if they triggered deploy from wrong branch.

Fuck this shit, moving to selfhosted solutions:
https://gitea.io/en-us/

Comments
  • 4
    Gitea is good
  • 8
    GitHubs CI/CD be like. Deployment failed, branch name master in sub repo is racist.
  • 8
    Just sayin: A lot of people bought Raspberry Pi and don't use it for anything while it is completely capable of being a git server. Don't put off the security though.
  • 0
    @Pyjong Can you enlighten me on how to push towards a secure instance? What steps should I take?
  • 1
    @Tisila e.g. you can move your SSH to some non-default port. You can set up iptables to deny IPs that have tried and failed to establish connection n times. You can use port knocking. You can use some scheme to decide when the ssh server's gonna be up and listening and close it for the rest of the time.
  • 3
    Or just put wireguard and push shit over VPN
  • 1
    @Pyjong Thank you! =) That's exactly what I was asking for.

    I do already have SSH on a non default port.

    Just have to search up those terms and learn about how to set them up.
  • 0
    @macbury I do have a Wireguard VPN setup already working, so at first, I'm gonna take this route.
  • 1
    Btw, there were plenty more, but this https://www.binaryedge.io/ is one of them who turned around at my RPi before I started hiding the device and blacklisting IPs. I just found it interesting someone makes a living out of this. It's proly legit business though. Back then I think the domain was 40fy.io or something.
  • 2
    @Pyjong I hope by "blacklisting IPs" you mean using fail2ban to automatically refuse connections after a few failed login attempts, and not manually going through logs, looking for repeat offenders and manually adding iptables rules with their ip
  • 1
    @endor Yes, but not fail2ban, there is a way to do this with just iptables (see --hitcount). But TBH, at first I was adding IPs manually as you say, because I thought no one really cares about my domestic IP. I thought it would stop if I ban a few. Then I added the iptables rules, which helped, but people kept trying and the banlist grew, so I installed knockd and wrote a port knocker, which is very simple and that pretty much did it. I tried a few more things, to make it a bit harder for someone who knows you use port knocking, but I don't think I needed that.
  • 2
    @Pyjong security through obscurity is not as secure as you think. Sure, port knocking can be a good way to camouflage a service, but it can also get in your way when something breaks.
    A much safer method is to simply disable password authentication and only use ssh keys, then configure ssh to only use the most secure encryption and key exchange algorithms (see https://stribika.github.io/2015/01/... )

    Oh, and if you need to ban large lists of ips or ip ranges, there's ipset
  • 1
    @endor I agree key based authentication is more secure.
Add Comment