I messed up - and got called on it.
ฝัง
- เผยแพร่เมื่อ 17 เม.ย. 2024
- === Links ===
Get the AwesomeOpenSource Merchandise
awesomeopensource.creator-spr...
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
Buy Me a Coffee or Beer
paypal.me/BrianMcGonagill?cou...
=== Timestamps ===
=== Contact ===
Twitter: @mickintx
Telegram: @MickInTx
Mastodon: @MickInTx@fosstodon.org
Try out SSDNodes VPS Services! Amazing Specs for incredibly low costs. I'm running a 32 GB RAM / $ CPU Server for only $9 a month! Seriously. FOr long term server usage, this is the way to go!
www.ssdnodes.com/manage/aff.p...
Get a $50.00 credit for Digital Ocean by signing up with this link:
m.do.co/c/a6a61ae55242
Use Hover as your Domain Name Registrar to get some great control over you domains / sub-domains:
hover.com/SHPaiirr
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
What does the money go to?
To Pay for Digital Ocean droplets, donations to open source projects I feature, any hardware I may need to purchase for future episodes (which I will then give to a subscriber in a drawing or contest). - วิทยาศาสตร์และเทคโนโลยี
Deep respect to the person who quietly and gently pointed out your mistake, and without causing you any harm at all. We need more humans like that. Stay safe and well, everyone.
100%
You did more than many multi million dollar companies do not do. You had a security flaw, corrected it, did not hide it and still educated others to avoid the same issue from happening to others. Can't ask much more then that. Great stuff!!!! Keep up the great work!!!
I appreciate it, and I see this as an opportunity to learn for us all.
Appreciating the video! Nobody is perfect🙂
I appreciate you.
It happens to the best of us. Thanks for sharing.
Yes it does!
Actually, this news has made my day. It means there's still some hope for humankind.
Me too, my friend.
Dude, You dodged a huge bullet.
I think it's more like a kind stranger jumped in harms way and shoved me aside, but indeed!
This says a LOT about you. Than you for doing this. Very few folks would actually do this. 👏
When I mess up, I own it. It's not bad to admit we are flawed.
@@AwesomeOpenSource You said it.
Very valuable video! Thank you.
You're welcome.
You can use services like tailscale with split dns to access your network outside. Will ensure unauthorized devices wont connect to your network
I actually am gett that setup with netbird, but indeed.
I really appreciate your hands-on intros and thorough walk-throughs on all things open source. Excellent for folks to get a good feel for various tools. Thank you!
Consider ansible, terraform (opentofu), etc, and have all such settings defined in code? Easy to copy or apply them to new installations, and ensure nothing is missed. I would much rather noodle through how to make traefik, nginx, or whatever, do what I want via ansible than have a UI to fiddle with for such serious configurations. (once you get a few things built with ansible, you then have a body of work to extend and build on, things become much easier.)
I really do need to start looking into tools like this. Especially for my series on MSP building.
@@AwesomeOpenSource I'd be happy to share with you some of things I'm doing.
Ansible for local machine things, usually VMs atop proxmox, which in turn run immutable docker containers. No docker volumes, rather mount directories from /root/data/containername/volumename, which can then be easily backed up or restored, etc.
Terraform for cloud things (gcp presently), again with immutable docker containers running atop GCP CoOS and a mounted drive for storing data long term.
With these things, any part of a docker container or VM can be given up, rebooted, deleted, etc, and just a restore of the /root/data (if relevant) or remounting the data volume and we're up and running again.
Using nginx or traefik for web proxy, SSL, etc, which is keyed to listen for docker labels if/how to provide http/s services. My own internal software is also packaged into docker containers for their runtimes. Nothing beyond base packages is usually installed on the host, and everything config wise is in git. Reboot, reinstall, docker image changes are almost always safe, or can be rolled back to earlier versions.
TechnoTim and Jeff Geerling both have some resources on ansible, however, I don't know of anyone doing immutable containers this way (and sharing it publicly). This is an outgrowth of skills picked up at former employer(s), I think it'd make a revolution if it were widely adopted. Avoids a great many problems with docker, docker compose, etc (they are great for testing something out, but generally less than ideal for running/managing things long term IMO).
Again, happy to share more detail. I don't have anything out on git publicly for this at the moment, but that's possible if there's interest. lmk if I can help in any way.
One of the things I really like about your channel, Brian is that you admit errors and fix them and tell us about them so we can avoid the same. Have a blessed day!
I appreciate that!
Good video best to learn from mistakes. Respect to the person that alerted you.
100%
I would recommend to focus more an security and hardening your systems und your infrastructure, especially because you make many great videos for us. There are many things you can do in order to protect your data more efficient than I have seen in many of your videos. I could give you a lot of security tips because this is my job 👍
Always happy to get tips from anyone willing to share, my friend.
Interesting video, thanks for sharing.
My critical services have never been publicly accessible because of an ACL AND the dns records for those services are not public. The second aspect is also important in my opinion.
Yep. I try to maintain that as well. The ACL was a huge miss by me.
Also agree, what a solid person who did that. They could have really made your life super hard.
Absolutely, the person who left me a simple message was Awesome about how they did it.
Lessons learned vids are always welcome and valuable, thanks for taking the time. Would you consider doing one on making a homelab security checklist when deploying new things?
What an amazing idea! Absolutely.
kind person
Indeed, a 100% kind person.
Phew, glad the right person detected it... xD
But yeah, it comes with this type of content. Thanks for sharing it too!
When I finally get my hardware together, my plan is to set it all up over Tailscale for external access. As I won't need for anyone else to get access to my stuff, it'll be strictly personal, it doesn't really need a proper public address.
But it gets way harder to administer all of it if you need a public facing address... I have a hard time wrapping my head around all the stuff that needs to be in place.
I need to do an updated video about how that stuff works together. And, yes, thank goodness my community is so awesome!
It happens to the best of us, time to integrate cybersecurity into your homelab!
Great learning point
Fun fact: In cybersecurity, this is what we call Ethical Hacking, specifically Vulnerabiliy Testing and Analysis + Pentesting thats part of the offensive security site of things
Also, perhaps a video on setting up a headscale/tailscale + maybe a vps from scratch?
Definitely. I actually toyed with becoming a white-hat hacker (ethical hacker) as a job, but not sure I've got the right skill set for it, and it takes a ton of work to really learn about it.
I have a headscale / tailscale client video out already, but might be good to do another.
This spewks volume about how good your channel is - your audience includes the nice internet people - and that is getting rare these days!
My community is awesome, and it renews my faith in humankind every dat.
Tailscale can help avoid this kinda thing. Glad you didnt get completely pwned.
100% this. Never expose anything to the internet that isn’t meant to be public.
Indeed, though I'll probabaly use Netbird, but 100% agree, and it's they way I should have gone to start with after the move, just got behind on things and it all just bubbled over on me.
Thanjs for sharing
You bet.
You could try tailscale for remote access.
I use Netbird, just hadn't seteverything back up yet. I prefer the open source tools whenever possible.
CloudFlare privacy proxy will help too.
Yeah, just trying not to depend too much on a 3rd party fo that. There are great tools out there, I just need to take my time and get them setup properly first.
I Am glad nothing got damaged
I can't afford home labs/servers where i live , but if i ever did it it will be totally air gapped and if i ever want to connect to it from outside of home i will expose only one Pc and ssh/VNC to that pc then connect to my home lan ( this is the best i can think of not saying best way to do it )
Good Luck
Sounds like a great plan!
No reason att all to expose any service like that. Use VPN 😀
Indeed. VPNs are a great option. Working up my netbird setup as we speak.
I'm not smart enough to understand all of this and cover all the attack vectors. So I just VPN or nothing.
Good plan all around.
Hi, What tools did you use to create this beautiful dashboard? :)
The dashboard itself runs on Dashy. Here's a video on it. th-cam.com/video/QsQUzutGarA/w-d-xo.htmlsi=7YRJHoWotadxQgyO
@@AwesomeOpenSource I like it. Thank you so much.
I wonder now if nginx proxy manager could also do the serving static vhost html (similar to typical nginx config, like just point the right directory to use)
Not sure. It might be a good request as an added feature though.
Just watching this for the colourful dashboard thingy, wish I understood what he was talking about.
He got hacked basically. And it was his fault.
The dashboard is Dashy, and I left one of my services that I run from my homelab exposed without any authentication around it.Someone who noticed got on and showed me by changing my dashboard config just a bit.
@AwesomeOpenSource there are still a few decent people out there 😀
Ok. To start with. The more I watch you. I get more items I can do. Like your backup. With I need to do.
That's a good thing. Take it slow. Learn the basics. Learn about Docker. I have a video that will help a bit I think. It's a bit older, but still valid. th-cam.com/video/cjJVmAI1Do4/w-d-xo.htmlsi=x_Guk4KTqSfzNmus
sorry... but you have no idea that they "did no harm at all"
if you don't recreate EVERYTHING from scratch, you have no idea what kind of long term backdoor is running
in fact we know due to the xz stuff, that this is basically an unwinnable war
even if we segregated every single app into virtual machines, and whitelist-only every network packet... we still cant be sure
Well, not exactly. The only service that was open was the access to my Dashy. They were able to modify my Dashy conifg, which I did check as well. They could have linked to some of my other public services from there, but those were all protected with logins and 2FA. There was really nowhere else to go from there. And, if they wanted to do something nefarious, why even tell me they did it in such a nice way. Your thoughts are completely valid though. Fortunately, I've been reworking a ton of stuff anyway, so it's all been "redone" twice by now.