zlacker

[return to "A story on home server security"]
1. rpadov+Q2[view] [source] 2025-01-05 13:19:23
>>todsac+(OP)
> "None of the database guides I followed had warned me about the dangers of exposing a docker containerized database to the internet."

This prompts a reflection about, as an industry, we should make a better job in providing solid foundations.

When I check tutorials on how to drill in the wall, there is (almost) no warning about how I could lose a finger doing so. It is expected that I know I should be careful around power tools.

How do we make some information part of the common sense? "Minimize the surface of exposure on the Internet" should be drilled in everyone, but we are clearly not there yet

◧◩
2. tossan+04[view] [source] 2025-01-05 13:30:50
>>rpadov+Q2
Just like people shouldn't just buy industrial welding machines, SCUBA equipment or a parachute and "wing it" I think the same can be said here.

As a society we already have the structures setup: The author had been more than welcome to attend a course or a study programme in server administration that would prepare them to run their own server.

I myself even wouldn't venture into exposing a server to the internet to maintain it in my freetime, and that is with a post graduate degree in an engineering field and more than 20 years of experience.

◧◩◪
3. kibwen+H5[view] [source] 2025-01-05 13:49:50
>>tossan+04
> Just like people shouldn't just buy industrial welding machines, SCUBA equipment or a parachute and "wing it" I think the same can be said here.

I find this to be extremely sad.

Unlike welding or diving, there is no inherent physical risk to life and limb to running a server. I should be able to stand up a server and leaving it running, unattended and unadministered, and then come back to it 20 years later to find it happily humming along unpwned. The fact that this isn't true isn't due to any sort of physical inevitability, it's just because we, the collective technologists, are shit at what we do.

◧◩◪◨
4. darkwa+Z5[view] [source] 2025-01-05 13:54:23
>>kibwen+H5
No. It's not so easy because in most cases you have to choose between security, flexibility and usability. Obviously it's not a 100% accurate example but generally speaking, it tends to be true. Sum it up over several decades of development and you get why we cannot have something that it's really really easy to use, flexible and secure by default.
◧◩◪◨⬒
5. Gud+md[view] [source] 2025-01-05 15:05:38
>>darkwa+Z5
We do, it's called FreeBSD. In my experience, many Linux distributions also qualify. To keep a modern *nix secure and up to date is simple.
◧◩◪◨⬒⬓
6. darkwa+rk[view] [source] 2025-01-05 16:02:36
>>Gud+md
Which would help exactly 0 in this scenario, where someone is exposing a port directly on the Internet. Also, FreeBSD is even more niche than Linux, I doubt it would stand the average user stress test.
◧◩◪◨⬒⬓⬔
7. Gud+Qn[view] [source] 2025-01-05 16:28:11
>>darkwa+rk
Absolutely it would because jails doesn't do weird shit like this from the get go. With FreeBSD, you have to deliberately open ports, not the other away around. I don't understand your second sentence. "average user stress test"??
◧◩◪◨⬒⬓⬔⧯
8. diggan+IU[view] [source] 2025-01-05 20:47:12
>>Gud+Qn
> With FreeBSD, you have to deliberately open ports

The issue outlined in the article happened because the author deliberately open their service to the public internet. Replacing Linux with FreeBSD wouldn't have prevented the compromise.

[go to top]