Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Funny story about the first time two of my servers got hacked. The fun part is how I noticed it.
So I purchased two new vps's for proxy server goals and thought like 'I can setup fail2ban tomorrow, I'll be fine.'
Next day I wanted to install NginX so I ran the command and it said that port 80 was already in use!
I was sitting there like no that's not possible I didn't install any server software yet. So I thought 'this can't be possible' but I ran 'pidof apache2' just to confirm. It actually returned a PID! It was a barebones Debian install so I was sure it was not installed yet by ME. Checked the auth logs and noticed that an IP address had done a huge brute force attack and managed to gain root access. Simply reinstalled debian and I put fail2ban on it RIGHT AWAY.
Checked about two seconds later if anyone tried to login again (iptables -L and keep in mind that fail2ban's default config needs six failed attempts within I think five minutes to ban an ip) and I already saw that around 8-10 addresses were banned.
Was pretty shaken up but damn I learned my lesson!8 -
Just a rant... It really sucks to work with maven on a security-paranoid financial institution enforcing ntml proxy auth...
Also usb ports disabled... :(5 -
ZTNA is just reinventing the wheel. Yeah, we open all our shit to the outside and let some client do some checks to grant you access. WE HAD THAT SHIT FOR AGES! ITS A VPN TUNNEL TO OUR SELF HOSTED SHIT THAT YOU HAVE TO LOGIN ANYWAY. Its just like someone in security marketing decided to put a name on something you should be doing anyway. Especially clientless ZTNA, thats just a reverse proxy with an auth header.
Man, cybersecurity lately just feels like sales just trying to sell you best practices and AI instead of actually usable software!1 -
Google didn't implement their own straightjacket APIs correctly but sunset Manifest V2 out of pure greed so now authenticated proxies don''t work in Chrome and Chromium-based browsers.7
-
So, I manage my server with docker containers (nginx-proxy and the letsencrypt-companion). I limit access to some subdomains using basic auth, but I want to use client certificates for convenience.
So my questions to the experts:
1) Do you know a good (and convenient) way to manage client certificates ? This should include revoking certs and allowing specific certs only for specific subdomains.
2) Should I use my letsencrypt CA for this or would a self signed CA better suited?
3) Any things I should be aware of?1
Top Tags
Weekly Rant
View