Ooops

joined 2 years ago
sorted by: new top controversial old
Dirty Frag: Universal Linux LPE - allows any unprivileged local user to gain root access on a vulnerable Linux system - no patch available in c/linux@lemmy.ml
[–] Ooops@feddit.org 5 points 1 week ago

Setups like Android or those new fancy ummutable distros don't actually make anything more secure. If the underlying OS is drectly exploited they don't protect you. Not having a mechanism included to get you root permissions regularly, doesn't help you against exploits achieving the same in unplanned ways. In fact -allthough that's a minor issue- you can probably specifically target the latter distros even after a patch: After all we are talking about direct changes to binary code here. On that level you could get ideas about manipulating the overlay to access the unpatched files.

In the end the most effective way to be more secure is not a mass produced thing like Android that locks out everyone (and not even being that good at it because there are masses working to circumvent it to get control over their device back), but to minimise you attack surface: Don't have stuff activated you don't need. Have a kernel compiled for your device with only exactly the components you really need. Or whitelist all kernel modules you need and nothing more. Explicitly declare what a user can do and access actively (see: SELinux, AppArmor with strict policies) instead of relying on the underlying passive permission system.

Dirty Frag: Universal Linux LPE - allows any unprivileged local user to gain root access on a vulnerable Linux system - no patch available in c/linux@lemmy.ml
[–] Ooops@feddit.org 11 points 1 week ago* (last edited 1 week ago) (1 children)

Update: Kernel 7.0.5 just released

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")

Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")

Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")

Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")

For those running Linux with Window Managers (or Desktop Environments too), how do you make sure that on lid close: the laptop suspends and locks? in c/linux@lemmy.ml
[–] Ooops@feddit.org 8 points 1 week ago

Also HandleLidSwitchExternalPower= for when it's still plugged in when you close the lid.

ISPs as publically owned Utilities in c/linux@lemmy.ml
[–] Ooops@feddit.org 3 points 2 weeks ago

Germany's problem is not building stuff but corruption.

Our street/sidewalk was opened up f****ing 7 times in the last 3 years for fiber-optic cables. Because if there is money to be spend they will find a way to give it to some buddies for putting the 2nd, 3rd or 10th set of redundant cables into the ground.

Oh, and guess what is not available here... a fiber connection, because actually connecting those cables is not where they can make money. And if they somehow manage this some day... I'll pay insane prices compared to any other country.

Which is both again caused by corruption, a.k.a. a few big companies and their well-paid lobbyists working hard to be the only option.

Anthropic Mythos shaping up as nothingburger in c/linux@lemmy.ml
[–] Ooops@feddit.org 15 points 3 weeks ago (1 children)

Anthropic Mythos shaping up as nothingburger

AI PR doing AI PR stuff... At this point they will push any outrageous claim about capabilities or spend nearly any amount of money to keep that insane AI bubble from bursting.

It's self hosting Sunday! What's up selfhosters? Infrastructure edition in c/selfhosted@lemmy.world
[–] Ooops@feddit.org 1 points 3 weeks ago* (last edited 3 weeks ago)

If it wast just AI, but the idiotic crawlers everywhere are getting worse by the day it feels.

I still have some ancient RPi running a basic homepage with some reverse proxies. A few weeks ago and after stopping to care about that thing years ago I realized that the access log that was just happily sitting there for years without getting to relevant sizes has suddenly grown by nearly 1GB, most of it in the last 6-8 months because I never bothered to set up logrotate.

But hey... I wanted to test setting up Anubis for quite some time. So now I can watch them run circles in the (still experimental) honeypot feature reading pages and pages of non-sensical babbling 😂

Question for Reasonable Security in New Server Setup in c/selfhosted@lemmy.world
[–] Ooops@feddit.org 5 points 1 month ago* (last edited 1 month ago)

Security through obscurity never works, so changing you SSH port does barely anything

... for security that is.

What it does is keep a lot of automated bots from spamming your server. No, they don't have any chances to get access when key authentification is used (and they won't try either... most go for the incredible low hanging fruits like admin/admin user/password sets), but they can become a strain on your own ressources.

What actually helps (and is usually configurable with any firewall) is rate limiting access. Just blocking someone's access for 10 seconds after a failed attempt will make absolutely no difference for you but a big one for those spammers. Now add some incremental increase after multiple fails and you are perfectly set.

PS: 53 is the standard port for DNS when your server operates as such.

PPS: Don't use it. People should really let that stuff die and exclusively run encrypted DNS (via TLS, HTTPS or Quic...)

linux-android: turn any old Android phone into a Linux desktop or a smart home server in c/linux@lemmy.ml
[–] Ooops@feddit.org 0 points 1 month ago (7 children)

What I ask myself here is why I should have unused phones lying around in the first place?

If I somehow think constantly wasting money on a new model just because there is a new number written on its packaging is worth it, I would not actually think in terms of reusing old hardware.

If I am however thinking about using hardware instead of just throwing it away while still functional why wouldn't I use a phone as anyone else as a phone?

What package manager do you use for arch based distros? in c/linux@lemmy.ml
[–] Ooops@feddit.org 1 points 1 month ago

I didn't have any actual issues with the native install either.

But with [multilib] activated there were dozens and dozens of 32bit libraries pulled alongside their regular version that I didn't actually need. And I use Wine a lot more than Steam anyway. So once Wine went fully 64bit I decided to get rid of all that legacy multilib 32bit stuff.

Steam via flatpak also works and will do until they, too, fully switch over to WoW64 implementation.

calendars off the cloud - what do you use? in c/selfhosted@lemmy.world
[–] Ooops@feddit.org 1 points 1 month ago (1 children)

Mainly my normal phone app. But for a long time it's not sync'd to some google cloud (which would be the default) but a Radicale instance.

I used Nextcloud before but honestly it's a mess to maintain. So much that I would not suggest it without planning to extensively use a lot of the different available addon functions.

Just for file sharing and caldav/carddav I will pick some simple solutions (like Radicale and Syncthing) over Nextcloud any day.

Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain in c/selfhosted@lemmy.world
[–] Ooops@feddit.org 1 points 1 month ago* (last edited 1 month ago)

And to give you a reference to some of the details glossed over...

The anubis instance listening to a socket doesn't work as described there. Because the systemd service is running as root by default but your web server would need access to the socket. So you first need to harmonise the user the anubis service runs as with the one from your web server with the permissions of the /run/anubis directory.

(see Discussion here for example)

Also having one single setup example in the docs with unix sockets when that isn't even the default is strange in the first place...

Half the Environmental Variables are just vaguely describing what they do without actual context. It probably makes perfect sense when you know it all and are writing a description. But as documentation for third-person use that's not sufficient.

Oh, and the example setup for caddy is nonsensical. It shows you how to route traffic to Anubis and then stops... and references Apache and Nginx setups to get an idea how to continue (read: understand that you then need a second caddy instance to receive the traffic....).

PS: All that criticsm reads harsher than it is meant to be. Good documentation needs user input and multiple view points to realize where the gaps are. That's simply not going to happen with mostly one person.

Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain in c/selfhosted@lemmy.world
[–] Ooops@feddit.org 1 points 1 month ago* (last edited 1 month ago) (2 children)

More than once. But -not actually surprsing by a work in progress by mostly one single person- it's not actually what I would call well-structured or even coherent. 😅

More than once googled for a detail I didn't understand and ended up on the issue tracker realizing I'm not alone and some behavior is indeed illogical or erratic.

And then some of it is of course referencing forwarding- and header-information, how it's handled, where it's flattened... and as my question should have told you, I don't even much clue how it is handled normally.

26
Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain (feddit.org)
submitted 1 month ago* (last edited 1 month ago) by Ooops@feddit.org to c/selfhosted@lemmy.world
11 comments fedilink
 

As this will -thanks to me being quite clueless- be a very open question I will start with the setup:

One nginx server on an old Raspi getting ports 80 and 443 routed from the access point and serving several pages as well as some reverse proxies for other sevices.

So a (very simplified) nginx server-block that looks like this:

# serve stuff internally (without a hostname) via http
server {
	listen 80 default_server;
	http2 on;
	server_name _; 
	location / {
		proxy_pass http://localhost:5555/;
                \# that's where all actual stuff is located
	}
}
# reroute http traffic with hostname to https
server {
	listen 80;
	http2 on;
	server_name server_a.bla;
	location / {
		return 301 https://$host$request_uri;
	}
}
server {
	listen 443 ssl default_server;
	http2 on;
	server_name server_a.bla;
   	ssl_certificate     A_fullchain.pem;
    	ssl_certificate_key A_privkey.pem;
	location / {
		proxy_pass http://localhost:5555/;
	}
}
#actual content here...
server {
	listen 5555;
	http2 on;
    	root /srv/http;
	location / {
        	index index.html;
   	} 
    	location = /page1 {
		return 301 page1.html;
	}
    	location = /page2 {
		return 301 page2.html;
	}
        #reverse proxy for an example webdav server 
	location /dav/ {
		proxy_pass        http://localhost:6666/;
	}
}

Which works well.

And intuitively it looked like putting Anubis into the chain should be simple. Just point the proxy_pass (and the required headers) in the "port 443"-section to Anubis and set it to pass along to localhost:5555 again.

Which really worked just as expected... but only for server_a.bla, server_a.bla/page1 or server_a.bla/page2.

server_a.bla/dav just hangs and hangs, to then time out, seemingly trying to open server_a.bla:6666/dav.

So long story short...

How does proxy_pass actually work that the first setup works, yet the second breaks? How does a call for localhost:6666 (already behind earlier proxy passes in both cases) somehow end up querying the hostname instead?

And what do I need to configure -or what information/header do I need to pass on- to keep the internal communication intact?

view more: next ›