this post was submitted on 15 Jun 2023
28 points (100.0% liked)

Technology

37736 readers
447 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

I'm almost ready with my lemmy instance server. Now what are some steps that are definitly worth doing after setup?

top 20 comments
sorted by: hot top controversial new old
[–] Wander@yiffit.net 16 points 1 year ago* (last edited 1 year ago) (4 children)

Definitely install fail2ban and use certificates for ssh authentication. Also, use cloudflare and consider using an email delivery service like jetmail instead of sending mail directly from the instance.

You could then block any incoming traffic that doesn't come for port the ssh port or from cloud flare for port 443.

[–] fastfinge@rblind.com 9 points 1 year ago (2 children)

In my opinion, folks should avoid Cloudflare at all costs. They're free speech maximalists with a history of defending NAZI's and other terrible people. They only discontinue service to white nationalists when the media attention gets too hot. Then they turn around and let them back in once things have died down.

Also, speaking as a screen reader user, if they think your IP address is suspicious (maybe because you're using Tor or a VPN), they present an inaccessible captcha and don't offer work-arounds. Then because the entire website is blocked behind the captcha, screen reader users can't even get in contact with you to let you know what's happening.

[–] Fizz@lemmy.nz 16 points 1 year ago

Cloudflare is a major player in the infrastructure of the internet. The should remain neutral and provide their service to anyone operating within the law.

[–] DXLUSION@beehaw.org 6 points 1 year ago (1 children)

Care to share any source on the first part? Not doubting, I’m just genuinely curious because this is the first time I’ve read that.

[–] fastfinge@rblind.com 3 points 1 year ago (1 children)

From a Mashable article published at the time, quoting the CEO in his own words:

In an interview, Prince expressed doubt about his decision to remove The Daily Stormer from Cloudflare, and conveyed concern over companies like his own, and their ability to pull a lever, and knock a website offline.

[–] SemioticStandard@beehaw.org 12 points 1 year ago* (last edited 1 year ago)

If you go back to [the] early days of Cloudflare, we've wrestled with: 'What is our role in term of controlling what content flows through our network?' And we believed that the right principle was to remain content neutral.

I think he’s exactly correct. This is what Net Neutrality is about. Service providers on the Internet should be treated like a utility. It’s easy to conflate this issue with that of ‘tolerating the intolerant,’ but I don’t think that’s correct at all. It’s also an argument that many parts of the Internet infrastructure have had. Cloudflare is a big part of the infrastructure underpinning the Internet at large, but it’s only a part. There are many others that need to come together to support a simple website. What about RIRs (Regional Internet Registries) like ARIN, who are responsible for allocating IP addresses? If you’re going to be upset with Cloudflare for struggling about whether or not to be neutral, why should they get off the hook? I think it’s probably because most people don’t understand how the Internet works, and so they remain ignorant of what goes into simply ‘hooking up’ a website to the Internet, allowing these other critically necessary components to fly under the radar of the public attention.

The debate about various Internet infrastructure entities remaining neutral has long raged. By and large, the communities that build and maintain these kinds of underpinnings have come down on the side of remaining neutral. It’s a vastly complex situation, with no easy answers, and a LOT of ‘hidden’ variables and concerns.

[–] lemmy@melly.0x-ia.moe 3 points 1 year ago (1 children)

Also, use cloudflare and ...

I was using CF initially for proxying, but noticed some weirdness with federation. I would only get updates from Beehaw, but lemmy.world and other servers' updates wouldn't come through. As soon as I dropped the proxy and restarted the server, my instance got flooded by updates. I'm really not sure where to start debugging, so I've kept it off for now

[–] chris@l.roofo.cc 1 points 1 year ago (2 children)

CF has some firewall feature active by default. You have to turn them off.

[–] lemmy@melly.0x-ia.moe 1 points 1 year ago

Oh thanks for the direction. Will check it out!

[–] lemmy@melly.0x-ia.moe 1 points 1 year ago (1 children)

Checked it out. I ended up having a WAF rule blocking non-US traffic.... Given Beehaw is US based, the fact that I was mostly getting posts from this instance makes a lot of sense now. Thanks again

[–] chris@l.roofo.cc 2 points 1 year ago

Glad I could help

[–] Sal@mander.xyz 3 points 1 year ago (1 children)

consider using an email delivery service like jetmail instead of sending mail directly from the instance

Why is this better? To overcome spam filters, or is there some security risk associated with e-mails?

[–] Wander@yiffit.net 6 points 1 year ago (1 children)

Better delivery and avoids exposing your IP via emails, although it's best to setup a some sort of tunnel to avoid having that problem altogether.

[–] Sal@mander.xyz 2 points 1 year ago (2 children)

Better delivery and avoids exposing your IP via emails, although it’s best to setup a some sort of tunnel to avoid having that problem altogether.

Is it possible to have a public-facing instance without exposing your IP? I am not sure I understand that part, and I am very interested in understanding how to achieve that.

[–] Wander@yiffit.net 4 points 1 year ago (1 children)

Yes, you tunnel all your traffic through cloudflare. Google "Cloudflare tunnel".

Whatever people say about cloudflare, right now it's a necessity if you manage a public facing server and don't have the resources to avoid DDoS attacks.

[–] Sal@mander.xyz 4 points 1 year ago

Thank you! I will look into cloudfare, what people say about it, and what resources are necessary to avoid DDoS attacks without it!

For incoming http(s) connections you can hide behind Cloudflare, which also helps for caching pictures. For outgoing connections to other instances you could also hide behind an outgoing proxy, in my opinion that's not really necessary, but I'm sure others would disagree on that.

[–] tgxn@lemmy.tgxn.net 2 points 1 year ago

To further this, I use a mail relay that accepts connections on SMTP and then forwards outbound email via a service like AWS or sendgrid via their API.You can run a forwarder in a container.

[–] Penguincoder@beehaw.org 10 points 1 year ago

Practice standard server security.

  • Disable all inbound ports in the firewall except for those you absolutely need (like port 80/TCP, port 443/TCP, sshport/TCP, DENY all other inbound)
  • Use the principle of least privilege. Don't run your docker containers or web server as the root user. Make a new user, give it only the permissions needed in order to run the service definitely not sudo group. Set a strong password for those users, and disable remote/SSH logins for them
  • For SSH, use public key authentication, disable password login afterward
  • Instead of fail2ban, I like and would recommend Crowdsec. Needs some fiddling for Lemmy though, due to rate limits and federation
[–] Stijn@lemmy.antemeridiem.xyz 1 points 1 year ago

Thank you for the responses i will use your advise wisely!

load more comments
view more: next ›