top | item 40694988

(no title)

waingake | 1 year ago

Is it? If you've got `PasswordAuthentication` disabled, only allow public key logins and keep your system up to date. Honest question.

I self host my email ( docker-mailserver ) and host my personal website on an old laptop with a static IP. Have done for years now without issue.

discuss

pkrotich|1 year ago

The keyword is diligently keeping your system up to date! That said you’ll still have exposure to zero day vulnerabilities and DOS attacks.

Fabricio20|1 year ago

But an attacker with one of the biggest vulnerabilities on earth (hell, ssh noauth 0day) would very likely use it against big cloud providers and infrastructure (isps and others) and not burn it on your home server! Keeping it reasonably up to date with your distro's cycle is probably enough for most people doing this home server thing.

So of course, as things always are with security this is a matter of risk assessment and understanding your attack surface, a server with only public key and maybe on a special port goes a very long way, add fail2ban on top and i'd say it's probably fine for quite a while.

But that does make me think... what if... a wormable noauth 0day like that on ssh or some other popular system... how fast could it replicate itself to form the biggest botnet.. how long would it take, to take over all visible linux servers on the internet (so that your little home box ends up being a target)?

I guess at that point you are limited by bandwidth, but since you can scale that with every compromised server... hope someone does the math on that one day!

kristopolous|1 year ago

https://wiki.debian.org/UnattendedUpgrades Most distros have something like this.

Beijinger|1 year ago

"PasswordAuthentication disabled" not sure I can even do this on my shared BSD server. I have ssh access via pw and need it. Is this really dangerous?

Scramblejams|1 year ago

Yes, it's risky to accept password auth if someone sharing the box with you has a poor password. They could do things like:

. Install a spam or brute force password bot, which could get the machine kicked off its internet connection (in addition to whatever havoc it causes first)

. DoS the server by filling up the disk or using too much RAM (are quotas enforced?)

. Exploit a local vuln to get root, if such exists on that box. (Is the kernel promptly patched and the box rebooted?)

. Explore other users' directories (are permissions locked down correctly across users?)

…and more thrilling possibilities!

Embrace key auth. Future you will thank you.

johnklos|1 year ago

It is, if for no other reason than you never know when some other user has a guessable password. You should switch everyone to ssh keys. It's a good excuse to learn :)

sneak|1 year ago

Yes. Authenticating with passwords is obsolete and dangerous. Use keys and disable password auth.

fragmede|1 year ago

How good is your password? If it's long, with special characters, it's fine. Install fail2ban. The problem with auth keys is you can't get into the server if you don't have your laptop/phone/NFC device because you got pickpocketed/mugged?

Beijinger|1 year ago

"I self host my email "

Is this still possible? Are your emails getting delivered?

Downvoted. I don't know when the downvoter tried the last time to "host their own email". Yes, DMARC, DKIM und SPF. Good luck trying to get your email deliverd to t-online or something.

https://forum.hestiacp.com/t/t-online-curious-story-about-th...

They may even check if your domain has an "imprint". I kid you not. I use my own domains too, but I piggyback with infomaniak.com

pja|1 year ago

> Is this still possible? Are your emails getting delivered?

Mine are. Although it probably helps to have a static IP with a 25 year long clean history.

Are there very occasional glitches? Sure. But I've seen ISPs drop everything from GMail on the floor for no obvious reason. I've seen GMail drop GMail email before. Same for every other large email provider.

To date I haven't seen any reason strong enough to push me to switch to a centralised email host. That day may yet come of course.

A1kmm|1 year ago

I self-host my email, and have not really had problems delivering normal quantities of personal email (except a bit of pain for Microsoft to accept mail in the first place, but it can be sorted quickly) - as long as you do DMARC / DKIM / SPF.

I've never heard of t-online before or tried to send an email there to my knowledge... if one provider I've never heard of would refuse to accept my mail if I ever sent something to them, that's more of a them problem than a me problem - but it certainly isn't the norm for other providers.

hggh|1 year ago

> Is this still possible? Are your emails getting delivered?

Yes and yes (if DMARC/DKIM/SPF configured correctly).

johnklos|1 year ago

> Good luck trying to get your email deliverd to t-online or something.

People who say it cannot (or should not) be done should not interrupt those who are doing it.

The dismissiveness is likely why you are downvoted, I'm guessing. The suggestion that because it's hard for you and therefore you're surprised others are doing it isn't a good look.

Self hosting email isn't that hard, and there are many solutions for all sorts of self hosting issues. That's a topic for another discussion, though.

cherryteastain|1 year ago

I fo it too and can deliver to gmail/office365 etc addresses no problem.

gsich|1 year ago

yes and yes.

Selfhost does not imply residential IP.