h3ndrik

Uh, why use a Microsoft product that doesn't even tie into the rest of the selfhosted services very well? There are easier and way better solutions for SSO and web services. And I don't have a pool of 30 windows laptops that'd need to share a set of login credentials and software rollout, at home.

I'd rather use the time I'd put into such a project that is just work and little to no benefit for something else. For example doing backups, deleting the Windows on those laptops and replacing it with free software.

I think that is a good question to write something positive about SystemD.

I start my services with SystemD. I also moved my containers and docker-compose stack to be started by systemd. And it does mounting and bind-mounts, too. So I removed things from /etc/fstab and instead created unit files for systemd to mount the network mounts. And then you can edit the service file that starts the docker-container and say it relies on the mount. SystemD will figure it out and start them in the correct order, wait until the network and the mounts are there.

You have to put some effort in but it's not that hard. And for me it's turned out to be pretty reliable and low maintenance.

I think OpenSnitch can do it roughly 2 different ways. Either you use an allow-list. That's pretty secure. But it'll severely interfere with how you're used to browse the internet. You're gonna allow Wikipedia and your favorite news sources, but you won't be browsing Lemmy and just randomly clicking on articles and blogs since you have to specifically allow them in the firewall first. Or you're using a deny-list. That's something like what Chrome does, have a list of well-known malicious sites and it'll ask you 'Do you really want to visit that site? It spreads malware.' It'll add tremendously to security. But won't protect you entirely. Hackers frequently break into webservers to spread malware from new servers. Ones that aren't yet in the list of bad IPs. It'll work for some time until the application firewall and the Chrome browser catches up and they'll move on to a different server. You should definitely think about that and prevent being the millionths victim, however.

I think we're talking about vastly different concepts here. Desktop computers and servers, consumers and enterprises are threatened in vastly different ways. And thus they need different solutions that handle the different threats. On a desktop computer the main way of compromising it is getting people to click on something. Or do whatever an official-looking e-mail instructs them to do. On a server that is meaningless. There isn't that much random applications someone clicks on without thinking it through. There is no e-mail client on the server. But on the other side you're serving random people from all over the world. Your connections are different, too. And if someone wants to upload their malware somewhere or send spam... They're going to go for a server and not a desktop computer.

About the "Störerhaftung": I think so, too. It's been ridiculous and in the end the courts also ruled it's against the law. The 100€ is also not something you have to pay. They want it and it's just a way to settle out of court. If you pay them, they'll promise to forget about this one time and not care about who did it. I think these kind of settlement exist all around the world and it's not illegal. And the copyright has to find some means of pressuring people, even if it's a bit shady, since such copyright offenses aren't a major crime and courts are often times bothered with more important stuff.

I think an Application Layer Firewall usually struggles to do more than the utmost basics. If for example my Firefox were to be compromised and started not only talking to Firefox Sync to send the history to my phone, but also send my behavior and all the passwords I type in to a third party... How would the firewall know? It's just random outgoing encrypted traffic from its perspective. And I open lots of outbound connections to all kinds of random servers with my Firefox. Same applies to other software. I think such firewalls only protect you once you run a new executable and you know it has no business sending data. If software you actually use were susceptible to attack, the firewall would need to ask you after each and every update of Firefox if it's still okay and you'd really need to verify the state of your software. If you just click on 'Allow' there is no added benefit. It could protect you from connecting to a list of known malicious addresses and from people smuggling new and dedicated malware to your computer.

I don't want to say doing the basics is wrong or anything. If I were to use Windows and lots of different software I'd probably think about using an Application Level Firewall. But I don't see a real benefit for my situation... However I'd like Linux to do some more sandboxing and asking for permissions on the desktop. Even if it can't protect you from everything and may not be a big leap for people who just click 'Accept' for everything, it might be a good direction and encourage more fine-granularity in the permissions and ways software ties together and interacts.

it could [...] just be vulnerable software

I mean your webserver or CMS or your browser has a vulnerability and that gets exploited and you get hacked. The webserver has open ports anyways in order to be able to work at all. The CMS is allowed to process requests and the browser allowed to talk to websites. A maliciously crafted request or answer to your software can trigger it to fail and do something that it shouldn't do.

[...] Matrix

Sure, I have a Synapse Matrix server running on my YunoHost. It works fine for me. I'm going to install Dendrite or the other newer one next. I'm not complaining if I can cut down memory consumption and load to the minimum.

Do you mean “held responsible” to simply stop the disruption, or “held responsible” for the actions of/damaged caused by the disruption?

Yeah, the issue was that it meant both. You were part of the crime, you were involved in the causality and linked to the damages somehow. Obviously not to the full extend, since you didn't do it yourself, but more than 'don't allow it to happen again'. Obviously that has consequences. And I think now it's not that any more when it comes to wifi. I think now it's just the first, plus they can ask for a fixed amount of money since by your negliect, you caused their lawyer to put in some effort.

There does still exist the risk of a vulnerability being pushed to whatever software that you use – this vulnerability would be essentially out of your control. This vulnerability could be used as a potential attack vector if all ports are available.

But this is a really difficult thing to protect from. If someone gets to push code on my computer that gets executed, I'm entirely out of luck. It could do anything that that process is allowed to do, send data, mess with my files and databases or delete stuff. I'm far more worried about the latter. Sandboxing and containerization are ways to mitigate for this. And it's the reason why I like Linux distributions like Debian. There's always the maintainers and other people who use the same software packages. If somebody should choose to inject malicious code into their software, or it gets bought and the new company adds trackers to it, it first has to pass the (Debian) maintainers. They'll probably notice once they prepare the update (for Debian). And it gets rolled out to other people, too. They'll probably notice and file a bugreport. And I'm going to read it in the news, since it's something that rarely happens at all on Linux.

On the other hand it could happen not deliberately but just be vulnerable software. That happens and can be exploited and is exploited in the real world. I'm also forced to rely on other people to fix that before something happens to me. Again sandboxing and containerization help to contain it. And keeping everything updated is the proper answer to that.

What I've seen in the real world is a CMS being compromised. Joomla had lots of bugs and Wordpress, too. If people install lots of plugins and then also don't update the CMS, let it rot and don't maintain the server at all, after like 2 years(?) it can get compromised. The people who constantly probe all the internet servers will at some point find it and inject something like a rootkit and use the server to send spam, or upload viruses or phishing sites to it. You can pay Cloudflare $200 a month and hope they protect you from that, or use a Web Application Firewall and keep that up-to-date yourself, or just keep the software itself up-to-date. If you operate some online-services and there is some rivalry going on, it's bound to happen faster. People might target your server and specifically scan that for vulnerabilities way earlier than the drive-by attacks get a hold of it. Ultimately there is no way around keeping a server maintained.

how did you go about installing your Nextcloud instance?

I have two: YunoHost powers my NAS at home. It contains all the big files and important vacation pictures etc. YunoHost is an AIO solution(?), an operating system based on Debian that aims at making hosting and administration simple and easy. And it is. You don't have to worry too much to learn how to do all of the stuff correctly, since they do it for you. I've looked at the webserver config and so on and they seem to follow best practices, disallow old https ciphers, activate HSTS and all the stuff that makes cross site scripting and such attacks hard to impossible. And I pay for a small VPS. I used docker-compose and Docker on it. Read all the instructions and configured the reverse proxy myself. I also do some experimentation there in other Docker containers, try new software... But I don't really like to maintain all that stuff. Nextcloud and Traefik seem somewhat stable. But I have to regularly fiddle with some of the other docker-compose files of other projects that change after a major update. I'm currently looking for a solution to make that easier and planning to rework that server. And then also run Lemmy, Matrix chat and a microblogging platform on it.

It would be a rather difficult thing to prove

And it depends on where you live and the legislation there. If someone downloads some Harry Potter movies or uses your Wifi to send bomb threats to their school... They'll log the IP and then contact the ISP and the Internet Service Provider is forced to tell them your name. You'll get a letter or a visit from police. If they proceed and sue you, you'll have to pay a lawyer to defend yourself and it's a hassle. I think I'd call it coercion, but even if you're in the right, they can temporarily make your life a misery. In Germany, we have the concept of "Störerhaftung" on top. Even if you're not the offender yourself, being part of a crime willingly (or causally adequate(?))... You're considered a "disruptor" and can be held responsible, especially to stop that "disruption". I think it was meant get to people who technically don't commit crimes themselves, they just deliberately enable other people to do it. For some time it got applied to WiFi here. The constitutional court had to rule and now I think it doesn't really apply to that anymore. It's complicated... I can't sum it up in a few sentences. Nowadays they just send you letters, threatening to sue you and wanting a hundred euros for the lawyer who wrote the letter. They'll say your argument is a defensive lie and you did it. Or you need to tell them exactly who did it and rat out on your friends/partner/kids or whoever did it. Of course that's not how it works in the end but they'll try to pressure people and I can imagine it is not an enjoyable situation to be in. I've never experienced it myself, I don't download copyrighted stuff from the obvious platforms that are bound to get you in trouble and neither does anyone else in my close group of friends and family.

I think this is decided by the Firewalld daemon, rather than the packet filtering firewall itself

Mmh, I probably was way to vague with that. This is done by something like FirewallD or whatever Windows or MacOS uses for this. AFAIK it then uses packet filtering to accomplish the task. Seems FirewallD includes the packet filtering too and not tie into nftables and transfer the filtering task to that. I don't think OpenSnitch does things like that. I'm really not an expert on firewalls. I could be wrong. If you read the Wikipedia article (which isn't that good) you'll see there are at least 3 main types of firewall, probably more sub-types and a plethora of different implementations. Some software does more than one of the things. And everything kinda overlaps. Depending on the use-case you might need more than just one concept like packet-filtering. Or connect different software, for example detect which network was connected to and re-configure the packet filter. Or like fail2ban: read the logfiles with one piece of software and hand the results to the packet filter firewall and ban the hackers.

I don't really know how the network connection detection is accomplished and manages the firewall. Either something pops up and I click on it, or it doesn't. My laptop has just 3 ports open, ssh, ipp (printing) and mdns. I haven't felt the need to address that and care about a firewall on that machine. But I've made mistakes. I had MDNS or Bonjour or whatever automatically shows who is on the network and which services they offer activated and it showed some of the Apple devices at work and I didn't intend to show up in anyone's chat with my laptop or anything. And at one point I forgot to deactivate a webserver on my laptop. I had used that to design a website and then forgotten about. Everyone in the local networks I've connected to in that time could have accessed that and depending on where I was that could have made me mildly embarassed. But no-one did and I eventually deleted the webserver. I think I've been living alright without caring about a firewall on my private laptop. I could have prevented that hypothetical scenario by using a firewall that detects where I'm at, but far more embarassing stuff happens to other people. Like people changing their name and then Airdropping silly stuff to people who are just holding a lecture, or Skype popping up while their screen is mirrored to the beamer infront of a large audience. But that has nothing to do with firewalls. Also, in the old days every Windows and network share was displayed on the whole network anyways. Nothing ever happened to me. And while I think that is not a good argument at all, I feel protected enough by using the free software I do and roughly knowing how to use a computer. I don't see a need to install a firewall just to feel better. Maybe that changes once my laptop is cluttered and I lose track of what software opens new ports.

On my server I use nftables. Drop everything and specifically allow the ports that I want to be open. In case I forget about an experiment or configure something entirely wrong (which also has happened) it adds a layer of protection there. I handle things differently because the server is directly connected to the internet and targeted, and my laptop is behind some router or firewall all the time. Additionally, I configured fail2ban and configured every service so it isn't susceptible to brute-forcing the passwords. I'm currently learning about Web Application Firewalls. Maybe I'll put ModSecurity in-front of my Nextcloud. But it should be alright on it's own, I keep it updated and followed best practices when setting it up.

[IoT devices] What would be a better alternative that you would suggest?

I really don't have a good answer to that. Separating your various assortment of IoT devices from the rest of the network is probably a good idea. I personally would stop at that. I wouldn't install cameras inside of my house and not buy an Alexa. I have a few smart lightbulbs and 2 thermostats, they communicate via Zigbee (and not Wifi), so that's my separate network. And I indeed have a few Wifi IoT devices, a few plugs and an LED-strip. I took care to buy ones where I could hack the firmware and flash Tasmota or Esphome on them. So they run free software now and don't connect to some manufacturers cloud. And I can keep them updated and hopefully without security vulnerabilities indefinitely, despite them originally being really cheap no-name stuff from china.

You can also set up a guest Wifi (for your guests) if you want to. I recently did, but didn't bother to do it for many years. I feel I can trust my guests, we're old enough now and outgrew the time when it was funny to mess with other people's stuff, set an alarm to 3am or change the language to arabic. And all they can do is use my printer anyways. So I usually just give my wifi password to anyone who asks.

However, what I do might not be good advice for other people. I know people who don't like to give their wifi credentials to anyone, since it could be used to do illegal stuff over the internet connection. That would backfire on who owns the internet connection and they'd face the legal troubles. That will also happen if it's a guest wifi. I'm personally not a friend of that kind of legislation. If somebody uses my tools to commit a crime, I don't think I should be held responsible for that. So I don't participate in that fearmongering and just share my tools and internet connection anyways.

(And you don't absolutely need to put in all of that effort at home. Companies need to do it, since sending all the employers home and then paying 6 figures to another company to analyze the attack and restore the data is very expensive. At home you're somewhat unlikely to get targeted directly. You'll just be probed by all the stuff that scans for vulnerable and old IoT devices, open RDP connections, SSH, insecure webservers and badly configured telephony boxes. Your home wifi router will do the bare minimum and the NAT on it will filter that out for you. Do Backups, though.)

some networks may block VPN related traffic

That's a bummer. There is not much you can do except obfuscate your traffic. Use something that runs on port 443 and looks like https (i think that'd be a TCP connection) or some other means of obfuscating the traffic. I think there are several approaches available.

Are you referring to the firewall on the router?

Yes. At home this will run on your (wifi) router. But the standard rules on that are pretty simple: Discard everything incoming, allow everything outgoing. Companies might have a dedicated machine, something like a pfSense in a server rack at each of their subsidiaries and draw a perimeter line around what they deem fit, the office building, a department, or separate the whole company's internal network from the internet. (Or a combination of those.) You just have one point at home where two network segments interconnect: your router.

I think it is important to distinguish between this kind of firewall and something that runs on a desktop computer. I'd call that a personal firewall or desktop firewall. It does different things: like detect what kind of network you're connected to. Enable access when you're at your workplace but inhibit the Windows network share when you're at the airport wifi. It adds a bit of protection to the software running on the computer, and can also filter packets from the LAN. And it's often configured to be easygoing in order not to get in the way of the user. But it is not an independent entity, since it runs on the same machine that it is protecting. If that computer gets compromised for example, so is the personal firewall. A dedicated firewall however runs on a dedicated and secure machine, one where there is no user software installed that could interfere with it. And at a different location, it filters traffic between network segments, so it might be physically at some network interconnect. There are lots of different ways to do it, and people apply things in different ways. Such a firewall might not be able to entirely protect you or stop malicious activity spread within the attached network at all. And of course you need the correct policy and type in the rules that allow people at the company to be able to work, but inhibit everything else. Perfection is more a theoretical concept here and nothing that can be achieved in reality.

[isolating the cheap chinese consumer electronics] As in blocking or restricting their communication with the rest of the lan in the router’s firewall, for example?

Yes, you'd need to separate them from the rest of the network so your router gets in-between of them. Lots of wifi routers can open an additional guest network, or do several independent WiFis. For cables there is VLAN. For example: You configure 4 independent networks, get your computers on one network, your IoT devices on another network, your TV and NAS storage on a third and your guests and visitors on yet another. You tell your router the IoT devices can't be messed with by guests and they can only connect to their respective update servers on the internet and your smarthome. Your guests can only connect to the internet but not to your other devices or each other. The TV is blocked from sending your behavior tracking data to arbitrary companies, it can only access your NAS and update servers. The devices you trust go on the network that is easygoing with the restrictions. You can make it arbitrarily complex or easy. This would be configured with the firewall of the router.

But an approach like this isn't perfect by any means. The IoT devices can still mess with each other. Everything is a hassle to set up. And the WiFi is a single point of failure. If there are any security vulnerabilities in the WiFi stack of the router, attackers are probably just as likely to get into the guest wifi as they'd get into your secured wifi. And then the whole setup and separating things was an exercise in futility.

would you be able to provide an example of how this [use a conventional firewall (or a VPN) to restrict access to that software to trusted users only] could be implemented? It’s not immediately clear to me exactly what you are referring to when combining “user” with network related topics.

I mean something like: You have a network drive that you use to upload your vacation pictures to in case your camera/phone gets stolen. You can now immediately block everyone from all countries except from France, since you're traveling there. This would be kind of a crude example but alike what we sometimes do with our credit cards. You can also set up a VPN that connects specifically you to your home-network or services. Your Nextcloud server can't be reached or hacked from the internet, unless you also have the VPN credentials to connect to it in the first place. You obviously need some means of mapping the concept 'user' to something that is distinguishable from a network perspective. If you know in advance what IP addresses you're going to use to connect, this is easy. If you don't, you have to use something like a VPN to accomplish that, make just your phone be able to dial in to your home network. (Or compromise, like in the France example.)

Lol, ~~one person~~ [Edit:] 4 people don't like your GNU mug. I do...

How would the firewall on one device prevent other devices from abusing the rest of the network?

Sure. I'm not exactly sure any more what I was trying to convey. I think I was going for the firewall as a means if perimeter security. Usually devices are just configured to allow access to devices from the same Local Access Network. This is the case for lots of consumer electronics (and some enterprises also rely on securing the perimeter, once you get in their internal network, you can exploit that.) My printer lets everyone print and scan, no password setup required while installing the drivers. The wifi smart plugs I use to turn on and off the mood light in the livingroom also per default accept everyone in the WiFi. And lots of security cameras also have no password on them or people don't change the default since they're the only ones able to connect to the home WiFi. This works, since usually there is a Wifi router that connects to the internet and also does NAT, which I'd argue is the same concept as a firewall that discards incoming connections. And while wifi protocols have/had vulnerabilities, it's fairly uncommon that people go wardriving or close to your house to crack the wifi password. However, since you mentioned mixing devices you trust and devices you don't trust... That can have bad consequences in a network setup like this. You either do it properly, or you need some other means to secure your stuff. That may be isolating the cheap chinese consumer electronic with god knows which bugs and spying tech from the rest of the network. And/or shielding the devices you can't set up a password on.

the only solution to it would be an application layer firewall like OpenSnitch, correct?

I don't think you can make an absolute statement in this case. It depends on the scenario, as it always does with security. If you have broken web software with known and unpatched vulnerabilities, a Web Application Firewall might filter out malicious requests. An Application Firewall if other software is susceptible to attacks or might become the attacker itself (I'm not entirely sure what they do.) But you might also be able to use a conventional firewall (or a VPN) to restrict access to that software to trusted users only. For example drop all packets if it's not you interacting with that piece of software. And you can also combine several measures.

Awesome! 😎

resize2fs and lvreduce? I mean if you have used LVM... It's not easy, but doable without a reinstall. Yeah. the guides also tell people to make a backup first.

Ah, well I just learned about the existence of free vpn services. I'm going to use it to set up a free guest wifi, so the neighbors, guests (and I) can do whatever with it. But I also struggle with the setup. It's complicated to get the wireguard interface set up, the guest wifi isolated and set up the split routing and everything so the different wifis on the router forward the traffic over different services.