cstine @ cstine @lemmy.uncomfortable.business

Posts

0

Comments

165

Joined

2 yr. ago

I'm paying Google for their enterprise gSuite which is still "unlimited", and using rclone's encrypted drive target to back up everything. Have a couple of scripts that make tarballs of each service's files, and do a full backup daily.

It's probably excessive, but nobody was ever mad about the fact they had too many backups if they needed them, so whatever.

https://www.crowdsec.net/product/crowdsec-security-engine is what I'm talking about.

It's not the easiest setup ever, but their documentation is pretty straightforward and easy to follow.

This is running on the host OS I'm using as the docker host.

It basically inspects logs/traffic to determine if a request is malicious and blocks sources of malicious traffic in real-ish time. It's also crowdsourced data so you can import data on attacks other people have seen.

Regarding your last question: I don't expose any services directly to the Internet unless the functionality 100% requires that I do so.

I have a couple of tiers of mitigation at the network level - I drop the Spamhaus DROP list at the edge, I have crowdsec security engine on the docker host itself as the next layer, and I otherwise make sure that everything is current and patched.

I also use Cloudflare tunnels for cases where I need a service to be public (like, say, the Lemmy install I setup) but don't really want to be exposing my personal IP to the world.

The end result is, basically, that I have a single nginx instance exposed on two virtual hosts, a single port for Plex, a single port for Wireguard and a (relatively) small attack surface that's designed to have limited mitigation from bad networks, and reasonable response times to developing threats via crowdsec. And, then, there's some internal VLAN separation between the docker host, the NAS, and other devices on the network that won't prevent someone from hopping around if they get in, but will at least make it a little more effort and work required to figure out the network topology.

Nothing is ever "perfect security", but this is enough to mitigate the non-stop endless bot and malware noise, though it's only likely of limited use against someone who feels the need to personally target and attempt to compromise me, but honestly, that's not really a threat I'm particularly concerned with.

That, and if your filament has anything toxic that can off-gas when you heat it, you probably don't want it in your oven (if you use your oven for cooking food).

I'm not sure which filaments are or are not going to have any additives that might be problematic, but since almost nobody actually says what's in their filaments, it's probably a good idea to just assume it's all not good for you and keep it away from your oven.

Well, I'm very explicitly not running it with the intent of it getting larger than maybe a couple dozen people I know who are interested. I'm not really interested in content moderation at any scale, let alone with random people I don't know from the internet. (My most recent job was dealing with content & abuse for a large cloud provider, and I have zero interest in picking up shitpost babysitting if it's avoidable.)

I'm otherwise going with the Mastodon Server Covenant as the basic guidelines: I've got a trusted friend I'm going to add as a 2nd admin, doing backups nightly, and at least a 90 day notice if/when I decide to stop hosting this.

I'd happily transfer the domain & data to anyone who wants to continue to admin it, or ask the community members what they want done.

I'll admit that makes WAY less sense if I wanted to run an instance with thousands of users, but that's very much not the goal.

The thing you’re overlooking is that for a lot of the people hosting small instances, this is a hobby.

Speaking for myself, the cost of a domain is basically nothing, and adding Lemmy to my hosting setup was zero - I already have more ram, cpu, and disk space than I’d ever need for this instance.

Financial incentives are not the only thing people care about, and until relatively recently weren’t the general default purpose of online social spaces.

For anyone who doesn't know what 'registering for DMCA notification' means, you're after https://www.copyright.gov/dmca-directory/

That said, there's no particular requirement that a DMCA notice be sent to you even if you have a registered agent and some reporters will send it to the abuse contact for the IP netblock you're hosted on regardless of registration, so you may want to make sure you understand what steps your provider may or may not take when they get a DMCA notice before you actually get a notice.

As a really old person, I was thinking today the vibe was unlike anything I've felt since Fidonet ;)

They're mostly boring stories: crypto mining and spam are probably 95% of them.

I would say, though, that you really shouldn't ever trust any hosting provider too much. You (like, the global you: not anyone in particular) ideally wouldn't want to be beholden to a single provider, (though I know that makes things cost more and isn't really always practical) but you should never never never let your provider be the sole arbiter of your data.

The teams that make the decisions on your account are under weird metric pressures to follow the flowchart and move on as fast as possible and don't really make any of the policies they're following and so if you somehow end up in their workflows, expecting the worst outcome is probably not the wrong mindset.

Always have a backup of your data in your control so you can recover if your hosting provider kicks you off/vanishes/has a hardware failure/whatever.

Yeah, heard the same stories.

I'll admit some bias against some of them because I spent most of the last decade doing abuse and anti-fraud work for another cloud hosting provider, and boy did I ever hear an endless parade of 'oh but I wasn't doing anything!' stories - even when I had absolute hard evidence that they were, indeed, doing something.

Still, you could always get a human and the human could make a decision and reverse any account action after looking at your account and talking to you - which is something that Oracle seems to absolutely not do, which is just... stupid? The people they're banning are, at some point, going to be asked 'hey have you used a cloud provider you like?' and absolutely zero of them would ever recommend OCI.

Oh for sure; if I really am concerned with hosting something, I pay for a VPS somewhere. OCI is for things that, I'd prefer them to stay up, but if they don't, it's not catastrophically bad.

Oracle's 'too bad so sad' support policy around this is absolute garbage, though.

Yeah, I should probably have included that I did convert the account to pay-as-you-go from the free-only service to avoid the reclaiming.

I've had zero issues, but I know that is, for sure, not the exclusive experience people have had.

Mastodon is good if you're after following specific people, rather than just general topics.

I've bounced off Twitter and then Mastodon several times because my use for social media is more for link aggregation and discussion, and I don't really necessarily care about who I'm having a discussion with, but rather that there's a good discussion about an interesting topic going on.

I know hashtags are a thing and you can follow them, but I've kinda found them hard to deal with on Mastodon because everyone puts a giant pile of hashtags on everything so you end up following certain tags and like, maybe 1/3rd of the things that show up in the feed are actually really related to everything that was tagged.

I do run an instance and find it's useful for certain things, but I very much prefer the Lemmy approach to content.

One other option is the "Always Free" tier on Oracle Cloud. You get some potato EPYC instances and some Altera ARM ones that are quite nice.

There are people who have issues with their accounts getting banned with no recourse, but I've used OCI free for over a year with no issues (and run a Mastodon instance on some of the ARM stuff), and know a good number of people who have various services running on it with no issue long-term, so YMMV.

The price is right, though, and you should keep current backups regardless.

Good news! Twitch is currently shitting all over itself with T&C changes around mandating exclusive streaming on their platform from their partners.

The hilarity is that some of the streamers are moving over to Kick, which is a platform that may or may not have been built from the stolen Twitch source code, which is just the most amazing drama possible.

I'd like to add a comment here just to add some visibility:

If you have an uncapped/unlimited internet connection, you should seriously consider running the Archive Team Warrior

They're heavily involved in scraping and archiving data from all over the internet (and, recently, most/all of Reddit) so that it's preserved, regardless of what happens to the underlying platform.

I run it on my home server in docker, but they have a lot of options for doing so and it basically requires just running it, and then forgetting it exists.

Agreed. The community MUST own it's own platform or else they're just renters that can be evicted the minute someone thinks they can make money from them.

This also isn't just an online issue (though my view is US-centric). There's been a lot of talk about the decline of a '3rd place' and its loss impacting social gatherings. You have your house, work, and then your social spaces, and there's a very big lack of social places where gathering and relaxing are acceptable without also having to engage in buying permission to be there.

This carried over into a lot of people going online to find the same social gatherings, and then seeing the gathering places turned into profit centers for the owners without any discussion with the users of the space, and now they're finding that they don't have anywhere to go be social, and the online places that filled that gap are now vanishing as well.

Now I'm not a sociologist (just a simple country computer janitor), but it strongly feels like a lot of the hyper-tribalism and aggressiveness that people are exhibiting are a direct result of having all the social spaces torn away and turned into profit centers, with zero regards for the people who visited or contributed to them.

It just makes everyone more isolated and willing to hop on to whatever the next big 'social trend' that some algorithm drops in front of them, and I think at this point it's pretty unarguable that what the algorithms are doing is not always benign. You gain a place to belong, even if what you're belonging to is abhorrent and toxic.

I think the differing view here is 'natural growth' vs 'forced growth'.

I don't think large servers that come by being large because they're the preferred choice for a given community, topic, reliability, or whatever other criteria become valuable are bad.

I think setting it up so that a new user is told 'You go here, and you sign up on this instance.' and writing all the onboarding stuff to direct them to the mega-instance for the sake of convenience because we can't figure out how to make it simpler or more clear or explain how federation works isn't the right path.

I will admit I do not have a fantastic answer on how to explain to someone who has limited technical knowledge exactly WHY federation is the way to go for communication and that the instance you should pick relies almost exclusively on the reliability of the service (is it fast? does it stay running? is it going to exist in six months?) and the trustworthiness of the admin (are they someone who you can deal with in terms of moderation? do you trust they're not going to use their access to violate any trusts or behave in a way contrary to your beliefs?).

I'm old enough that my first foray into 'federated' content was Fidonet, and which BBS you called 'home' and posted from was almost exclusively a decision based on the local BBS community and the sysop because the messages and software were otherwise exactly the same from BBS to BBS.

So, my bias is that large instances can't be close communities and that larger instances require different and more aggressive and impersonal moderation and the bigger you get the more true both become.

Interesting; my general experience (and that of customers I spent time working with doing support for various cloud providers) was that you could, theoretically do so, but 'sending the email to a provider' and 'the provider accepts it and delivers it' were not always the same thing.

Microsoft was especially bad in that it would accept the message, and give you the standard SMTP 'message accepted' response but then silently just drop it in the backend, never to be seen again. Didn't go to spam, didn't land in a filter just... vanished.

Google, at least, had the decency to tell you when it was going to reject your email, but still.

It was always the same dance: you need a PTR, an SPF record, DKIM, etc. but at the end of the day, Google and Microsoft absolutely gatekeep what gets delivered to their platform, so if it's critical that your email shows up reliably every time, you have to move into the "ecosystem" of ESPs and all the hoops that are involved there if you want your message to go to the 'big providers'.

Protonmail is one of the larger providers of email at this point.

If you were to set up your own SMTP server and try to deliver mail, you essentially cannot reliably email any of the larger providers, because they've taken steps to mitigate spam and issues which also makes it impossible to handle your own email anymore, even if the intent wasn't explicitly to break self-hosting.

If you concentrate everyone into larger providers, you're allowing them the ability to gatekeep who can and cannot talk to their users, and most people will either not understand this, or be happy to allow it.

I will admit to some bias in not trusting there to be a 'central' server that's run and maintained with the good of the community in mind because there are endless, endless examples of situations where the owners/maintainers of a service have decided to take actions that are fundamentally against their users best interests - which, of course, is probably why anyone is actually here discussing this in the first place.

Could onboarding be improved? Absolutely. But I really don't think the solution is to have a small handful of blessed instances and try to push everyone to them.