this post was submitted on 03 Jul 2025
21 points (95.7% liked)

Selfhosted

49368 readers
496 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
21
What do I do -- Incorrect? (sh.itjust.works)
submitted 1 week ago by CraigCabbage@sh.itjust.works to c/selfhosted@lemmy.world
11 comments fedilink hide all child comments
 

I tried installing YunoHost once, now I'm installing again. I installed it on a Virtual Machine. After installing, it asked for a user and password. I typed in what was provided "root" and "yunohost", and it didn't work, it said incorrect.

top 11 comments
sorted by: hot top controversial new old
[–] cecilkorik@lemmy.ca 7 points 1 week ago (3 children)

Not sure what you mean by "what was provided"... who is providing a username and password for your yunohost?

You are supposed to create your own username and password during the "Begin" setup process after it first installs. "root" and "yunohost" are very insecure and if you use passwords that are copy/pasted from somewhere else on a machine connected to the internet it will be hacked, potentially almost immediately. People have bots that literally just try to connect using these common default passwords all day every day to every site on the internet. I have literally had machines with such crappy passwords hacked within minutes of spinning them up. The same thing can happen even when you are first doing the setup process. If somebody else can get in, they can (most likely with a bot) do the setup process themselves and set up their OWN username/password, and now it will ask you for that password that THEY set, which you have no way of knowing. The instance belongs to the first person to claim it, and if that's not you, you have to wipe it and start over.

Your yunohost VM interface should not be exposed to the internet during setup. Even briefly, or someone else can immediately compromise it like this. The only way to ensure you are the first person to access it is to make sure you are the ONLY person who can access it, until it is properly set up and secured. Bots are WAY faster than you can be.

Use localhost console, VM port forwarding or some other secure method of making sure nobody but your own host computer can access the IP of the server where you are setting things up, until it has a strong, secure password (not "yunohost") and make sure you have all its security features configured and working before you even think about making it accessible to the internet.

[–] irmadlad@lemmy.world 1 points 5 days ago

The same thing can happen even when you are first doing the setup process.

I might get a bit too stressed about standing up a server than I should, but this notion has always been in the back of my mind, prompting me to hurry the fuck up and secure everything before some bot detected I was remiss we in having this or that in place in the initial setup. So, it's like a sprint trying to get all security in place.

I don't share my servers with others like a lot you guys do, so it's a little simpler. Implementing host.allow and host.deny (ALL:ALL) does the trick. Over the course of 24 hours, I think, conservatively hundreds of bots visit.

[–] CraigCabbage@sh.itjust.works 2 points 1 week ago (1 children)

when i signed in, it just downloaded the packages and didn't ask me to create my own username nor password, it told me to use root and yunohost.

[–] cecilkorik@lemmy.ca 4 points 1 week ago (2 children)

Aha I see you did the text-based install then? I've never done that myself but I just tried it now and it worked fine for me with the default password it mentions. Make sure caps lock is off. You will not be able to see the password when you type it, so be extra careful you are typing it correctly.

Most of the same cautions about internet access still apply, if your networking is active on this VM there's a non-zero chance you can get hacked right away when you're in default passwords/initial setup mode. If you continue to have trouble getting in, you should reinstall it once again onto a fresh VM with network mode set to NAT if possible, or even disabled completely, and see if it works in that configuration. It really is critical to get the password set up before opening up the internet.

[–] CraigCabbage@sh.itjust.works 3 points 1 week ago

Thank you, it seems I messed something up so I'm redoing it

[–] CraigCabbage@sh.itjust.works 2 points 1 week ago

I did graphical-install, I closed out of the IP site thing so im redoing

[–] hendrik@palaver.p3x.de 5 points 1 week ago* (last edited 1 week ago) (2 children)

I think after initial installation, you open a browser with the post-installation step and configure a username and password there. I'm not entirely sure, it's been some time since I did it. But depending on installation method, I don't think it has a provided password.

General password advice: Check caps lock, and if you use like a German keyboard if 'z' and 'y' are swapped.

[–] CraigCabbage@sh.itjust.works 2 points 1 week ago

oh thanks! yes probably!