Most active commenters

    ←back to thread

    The internet is no longer a safe haven

    (brainbaking.com)
    253 points akyuu | 11 comments | 16 Nov 25 13:12 UTC | HN request time: 0.222s | source | bottom
    Show context
    embedding-shape ◴[16 Nov 25 15:56 UTC] No.45945999[source]
    > The internet is no longer a safe haven for software hobbyists

    Maybe I've just had bad luck, but since I started hosting my own websites back around 2005 or so, my servers have always been attacked basically from the moment they come online. Even more so when you attach any sort of DNS name to it, especially when you use TLS and the certificates, guessing because they end up in a big index that is easily accessible (the "transparency logs"). Once you start sharing your website, it again triggers an avalanche of bad traffic, and the final boss is when you piss of some organization and (I'm assuming) they hire some bad actor to try to make you offline.

    Dealing with crawlers, bot nets, automation gone wrong, pissed of humans and so on have been almost a yearly thing for me since I started deploying stuff to the public internet. But again, maybe I've had bad luck? Hosted stuff across wide range of providers, and seems to happen across all of them.

    replies(13): >>45946074 #>>45946178 #>>45946504 #>>45946700 #>>45946715 #>>45946870 #>>45946927 #>>45947354 #>>45947815 #>>45950210 #>>45950360 #>>45951545 #>>45955317 #
    1. NoboruWataya ◴[16 Nov 25 17:40 UTC] No.45946870[source]
    I have a personal domain that I have no reason to believe any other human visits. I selfhost a few services that only I use but that I expose to the internet so I can access them from anywhere conveniently and without having to expose my home network. Still I get a constant torrent of malicious traffic, just bots trying to exploit known vulnerabilities (loads of them are clearly targeting WordPress, for example, even though I have never used WordPress). And it has been that way for years. I remember the first time I read my access logs I had a heart attack, but it's just the way it is.
    replies(4): >>45947135 #>>45947452 #>>45947801 #>>45949802 #
    2. timeinput ◴[16 Nov 25 18:15 UTC] No.45947135[source]
    and it has been that way for a long time. Hosting a service on the internet means some one is *constantly* knocking at your door. It would be unimaginable if every few 10-1000s of milliseconds someone was trying a key in my front door, but that's just what it is with an open port on the internet.
    replies(1): >>45947257 #
    3. sshine ◴[16 Nov 25 18:31 UTC] No.45947257[source]
    I recently provisioned a VPS for educational purposes. As part of teaching public/private network interfaces in Docker, and as a debug tool, I run netstat pretty easily on.

    Minutes after coming into existence, I have half a dozen connections to sshd from Chinese IP addresses.

    That teaches the use of SSH keys.

    replies(2): >>45948165 #>>45948789 #
    4. mbreese ◴[16 Nov 25 18:59 UTC] No.45947452[source]
    I’ve often thought about writing a script to use those bot attacks as a bit of a honey pot. The idea would be if someone is viewing a site with a brand new SSL certificate, that it can’t be legitimate traffic, so just block that ip/subnet outright at the firewall. Especially if they are looking for specific URLs like Wordpress installations. There are a few good actors that also hit sites quickly (ex: I’ve seen Bing indexing in that first wave of hits), but those are the exception.

    Sadly, like many people, I just deal with the traffic as opposed to getting around to actually writing a tool to block it.

    replies(1): >>45948772 #
    5. aledalgrande ◴[16 Nov 25 19:43 UTC] No.45947801[source]
    For your use case have you thought about VPN into your local network, via e.g. a Synology box? It's pretty cool and easy to set up.
    6. toyg ◴[16 Nov 25 20:34 UTC] No.45948165{3}[source]
    Just put sshd on a nonstandard port, and 95% of the traffic goes away. Vandals can't be bothered with port-scanning, probably because the risk of getting banned before the scan is even complete is too high.

    But I agree that keys are not optional anymore.

    replies(1): >>45974032 #
    7. esseph ◴[16 Nov 25 21:54 UTC] No.45948772[source]
    You'd end up blocking a bunch of cloud provider IP ranges and one day in the near future, there's a good chance some SaaS or provider service doesn't work.
    8. esseph ◴[16 Nov 25 21:56 UTC] No.45948789{3}[source]
    Fronting with ssh is not as secure as you could be.

    Wireguard, tailscale, etc instead, THEN use ssh keys (with password on them mind you, then you have 2fa - something you have, and something you know).

    9. phs318u ◴[17 Nov 25 00:25 UTC] No.45949802[source]
    This sounds like a great use-case for VPN or Tailscale? Access from anywhere, uses the open-internet as a carriage service but exposes no endpoints on the open internet. Is there a particular requirement that makes that non-viable?
    replies(1): >>45955941 #
    10. NoboruWataya ◴[17 Nov 25 17:43 UTC] No.45955941[source]
    I am vaguely aware of such solutions and I think there's no real reason why they wouldn't work. I think I just wasn't familiar with them at the time I set up the VPS. (Also I assume they would require an always-on box at home, which at the time I didn't have, and even now I suspect a VPS would provide more reliable uptime.)
    11. sshine ◴[19 Nov 25 00:07 UTC] No.45974032{4}[source]
    I do use non-standard ports and sshd on VPC/VPN interfaces. But for teaching purposes, you are dealt a hand and you have to learn to deal with it.