• 0 Posts
  • 35 Comments
Joined 1 year ago
cake
Cake day: July 4th, 2023

help-circle


  • Cloudflare, Pagekite, a cheap VPS with a reverse proxy. Maybe IPv6-only access if your CGNat does that, ngrok, serveo, rathole, sish, a VPN… I also found portmap-io, webhook relay, packetriot and countless other smaller companies. There are quite some tools and services available. And which one is right for you might depend on the exact situation and what you’re hosting. I’m not an expert on this. I have an internet connection without a NAT, and additionally a really tiny VPS with a mailserver, a small website and wireguard. I just use that to tunnel through NAT if i need to. But that means I haven’t compared all the other services since I don’t need them (yet.) I’ve learned a bit about Cloudflare from this discussion.


  • Thx for explaining. I think I halfway know what this is about now. I don’t think I’m their target group. But I learned something about web application firewalls in the process and that is a good thing. I think I’m going to activate that for some of my private services since it’s so easy and look up if there are good ip ban lists. It’s a bummer that I don’t get to see proper documentation on this, since security is all about exact facts and scenarios. But I guess no answer is also an answer. If they just feed buzzwords to me, either my initial skepticism was warranted, or I’m just not their target audience and they only target enterprise users. Either way I’m better off with my current approach. I appreciate I got to learn something :-)


  • I tried to look it up but I wasn’t very successful. What they do in their free tier keeps being a mystery to me. In the $20/month is the the core ruleset from ModSecurity. I don’t need to pay them $20 to deploy that for me, the dataset is free and publicly available. I’ve just installed it on my VPS… It’s only a few lines in Nginx to enable that.

    And what you’re talking about is $200 a month. I seriously doubt anyone here uses that plan for their homeserver. I wouldn’t pay $2400 in a year for it.

    I still don’t get how that would work. Sure you can filter spam that way. And migitate attacks while the worst wave washes through the net. Or do machine learning and find out if usage patterns change. But how would it extend to 0-days faster than the software gets patched? This sounds more like snake-oil to me. If someone finds a way to inject something into a Nextcloud plugin and change things in the database so they have access… And then they do it to 100 cloudflare customers… How would Cloudflare know? If it’s a 0-day, they -per definition- don’t know in advance. And they’re just WAF, they don’t know if a user is authorized by mistake or if they’re supposed to have access. And they don’t know anything about my database, since it runs on my machine. And they also don’t know about the endpoints of the software and which request is going to trigger a vulnerability unless this manifests in some obvious (to them) way. Like 100 machines immediately start blasting spam through their connection and there is one common request in the logfiles. Otherwise all they can do is protect against known exploits. Maybe race the software vendor and filter things before they got patched. I just don’t see any substantial 0-day protection that extends to more than “keep your server up to date and don’t use unmaintained software.” Especially not for the home-user.



  • I mean theoretically… I guess, if they do it right? It depends a bit. Some Linux distributions are crazy fast with patching stuff. And some stable channels have a really good track record of open vulnerabilities. Nowadays that’s not the only way of distributing software, vulnerability might depend on your docker container setup etc.

    Are there actual numbers what Cloudflare adds on top? What 0-days they focus on? I mean do they have someone sitting there, reading Lemmy CVEs and then immediately getting to action to write a regex that filters out such requests?

    And how much does it cost? They also list the same ModSecurity in their lower plans. I don’t think 0day protection would help people like me if it’s $200 a month.



  • Ah. Makes sense. I don’t think you have to specifically use cloudflare in that case. But I remember CNAME records can’t be used for everything… there are some limitations. I know I had issues with dyndns and a domain at some point. I just can’t remember the details. I know it didn’t work with every registrar / DNS provider. But some of them offer some magic to make some things work. I believe back then we ended up transferring that domain to some other hoster. And my domains are with a company that offers an API. I can just have a small script run in the background that changes around entries and do dyndns that way. But obviously you need to pay attention to things like the time to live for your records and set it accordingly once you do dyndns yourself.


  • Thx for explaining. I’m not sure if I’m willing to do the same trade-offs. Supposedly their WAF is very good and quite some people use it. Probably for a good reason… It just comes at a hefty price. I’m doing selfhosting to emancipate myself, stay independent and in control. I’m not sure if becoming dependant on a single large company and terminating my encryption on their servers that do arbitrary magic and whatever with my packets is something that aligns with my goals. (Or ethics, since I think the internet is to connect people on a level playing field. And that’s no longer the case once many people transfer control to a single entity.) But I don’t see a way around that. Afaik you have to choose between one or the other. Are there competitors to cloudflare that handle things differently? Maybe provide people with the WAF and databases to run on their own hardware, let them stay in control and just offer to tunnel their encrypted data with a configurable firewall?

    Edit: Just found modsecurity.org while looking that up. But I guess a good and quick database of bad actors’ IPs is another thing that would be needed for an alternative solution.










  • rufus@discuss.tchncs.detoich_iel@feddit.deich🟦🚫iel
    link
    fedilink
    Deutsch
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Gut. Da gehe ich mit. Das klingt ziemmlich menschenverachtend und eklig. Dann bin ich einfach froh, dass ich das nicht selber gesehen hab. Ich hab nur die ganze Sekundärliteratur über den Ableismus von Herrn Höcke und die (in Ermangelung von Wörtern) dummen, aber populistischen Aüßerungen von Frau Weidel gelesen. Und eigentlich möchte ich nichts über die lesen.

    Der KI-Artikel ist interessant. Ich gehe auch davon aus, dass es da noch gut knallen wird.


  • rufus@discuss.tchncs.detoich_iel@feddit.deich🟦🚫iel
    link
    fedilink
    Deutsch
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Krass. Ich hoffe das ist nicht allgemein so. Also technisch kann ich das verstehen. Die möchten auch nicht in jede Animosität reingezogen werden. Und es passiert ja regelmäßig, dass Leute anderer Meinung sind als jemand und dann Videos melden. Oder Shitstorms veranstalten und dann passiert das massenweise. Das ist eigentlich nicht wofür diese Funktion da ist, und dann müssen sich die Leute damit beschäftigen, die eigentlich Missinformation, Gewalt, ekliges Zeug und sonstwas aussortieren sollen.

    Ohne die Details zu kennen würde ich aber wetten, dass Google das schlecht macht. Und die meiste Arbeit einem Algorithmus mit hoher Fehlerquote überlässt. Keine Ahnung ob der dich dann drosselt. Meldungen zu Copyright kriegen die ja wohl auch oft nicht vernünftig hin.

    Also solange diese Partei demokratisch legitimiert sind und mal ausnahmsweise keine Falschinformationen verbreiten, ist das eigentlich wahrscheinlich nicht richtig was du machst. Ich trauere jetzt aber auch nicht, wenn das dazu führt, dass AfD-Videos gelöscht werden. Mich ekeln die auch an. 🫠

    Und oft rufen die ja auch zu Hass auf oder beinhalten Falschinformationen… Dann sowieso weg damit.