I am a Meat-Popsicle

  • 0 Posts
  • 13 Comments
Joined 1 year ago
cake
Cake day: June 10th, 2023

help-circle





  • You need to have a rather capable router / firewall combo.

    You could pick up a ubiquity USG. Or set up something with an isp router and a PF sense firewall.

    You need to have separate networks in your house. And the ability to set firewall rules between the networks.

    The network that contains the hosting box needs to have absolutely no access to anything else in your house except it’s route out to the internet. Don’t have it go to your router for DHCP set it up statically. Don’t have it go to your router for DNS, choose an external source.

    The firewall rules for that network are allow outbound internet with return traffic, allow SSH and maybe VNC from your home network, then deny all.

    The idea is that you assume the box is capable of getting infected. So you just make sure that the box can live safely in your network even if it is compromised.


  • The first worry are vectors around the Synology, It’s firmware, and network stack. Those devices are very closely scrutinized. Historically there have been many different vulnerabilities found and patched. Something like the log4j vulnerabilities back in the day where something just has to hit the logging system too hit you might open a hole in any of the other standard software packages there. And because the platform is so well known, once one vulnerability is found they already know what else exists by default and have plans for ways to attack it.

    Vulnerabilities that COULD affect you in this case for few and far between but few and far between are how things happen.

    The next concern you’re going to have are going to be someone slipping you a mickey in a container image. By and large it’s a bunch of good people maintaining the container images. They’re including packages from other good people. But this also means that there is a hell of a lot of cooks in the kitchen, and distribution, and upstream.

    To be perfectly honest, with everything on auto update, cloud flares built-in protections for DDOS and attacks, and the nature of what you’re trying to host, you’re probably safe enough. There’s no three letter government agency or elite hacker group specifically after you. You’re far more likely to accidentally trip upon a zero day email image filter /pdf vulnerability and get bot netted as you are someone successfully attacking your Argo tunnel.

    That said, it’s always better to host in someone else’s backyard than your own. If I were really, really stuck on hosting in my house on my network, I probably stand up a dedicated box, maybe something as small as a pi 0. I’d make sure that I had a really decent router / firewall and slip that hosting device into an isolated network that’s not allowed to reach out to anything else on my network.

    Assume at all times that the box is toxic waste and that is an entry point into your network. Leave it isolated. No port forwards, you already have tunnels for that, don’t use it for DNS don’t use it for DHCP, Don’t allow You’re network users or devices to see ARP traffic from it.

    Firewall drops everything between your home network and that box except SSH in, or maybe VNC in depending on your level of comfort.





  • the hashes look like this

    bafybeih3otruk3juwppyva2giufgtnll5tjqsk6mzmhjiksjkpbh434mae

    IPFS is kind of like a torrent system, you generate the file, add it to something like ipfs desktop or brave browser, it injects the hash into the p2p system, they download it from you directly or any one else that has downloaded it.

    It’s not for truly private things, it’s more like throwing it on an unlisted imgur. It’s also not possible to redact things so if you shove it out there, it might be out there forever.