• 0 Posts
  • 51 Comments
Joined 2 years ago
cake
Cake day: June 10th, 2023

help-circle
  • My Linux laptop is set to check for updates daily, which I then apply manually when I notice the tray icon. I sometimes procrastinate when it comes to reboots though.

    My Android phone is on auto-update, which seems to mean whenever it’s being charging for a few hours (so typically when charging overnight). Because the battery is still pretty good and I don’t need to charge daily, that comes down to once every 2-3 nights or so.

    My personal Linux servers (which run my self-hosted apps) are configured to automatically apply all updates (and reboot if necessary afterwards) at the time of day I’m most likely to be awake and available to manually fix stuff if anything goes wrong. The Docker-containers that run on them mostly get auto-updated to the latest version every 6 hours by Watchtower. A few containers have more cautious policies though, ranging from pinning a major version (but auto-upgrading to new minor versions within that) to pinning a specific version and at most sending a notification if there’s an update. The latter is limited to stuff that has broken before and/or where newer releases are known to be buggy or incompatible.

    When it comes to major updates (i.e. new distro releases) of my Linux machines, I typically wait about a month before upgrading because I’ve been bitten by release-day bugs before.



  • It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware.

    For TLS-based protocols like HTTPS you can run a reverse proxy on the VPS that only looks at the SNI (server name indication) which does not require the private key to be present on the VPS. That way you can run all your HTTPS endpoints on the same port without issue even if the backend server depends on the host name.

    This StackOverflow thread shows how to set that up for a few different reverse proxies.









  • If this is something you run into often, it’s likely still only for a limited number of servers? ssh and scp both respect .ssh/config, and I suspect (but haven’t tested) that sftp does too. If you add something like this to that file:

    Host host1 host2
      Port 8080
    

    then SSH connections to hosts named in that first line will use port 8080 by default and you can leave off the -p/-P when contacting those hosts. You can add multiple such sections if you have other hosts that require different ports, of course.









  • Perhyte@lemmy.worldtoPiracy@lemmy.mlPiracy > resellers
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Many piracy sites run ads though, don’t they? Unless everyone visiting runs ad blockers (unlikely) the people running those are making at least some money. Presumably it at least covers the cost of running the sites.

    It’s probably just as the comment you replied to said: “stuff bought with stolen credit cards (and resold on those sites) actually costs us money, as opposed to piracy which merely ‘costs’ us money”.


  • I assume you mean the table on the last page of the paper, which indeed shows WireGuard is safe against the second attack.

    If you go back one page (to page 17) it has another table for the first attack. That one is less positive about WireGuard:

    • The good: On Linux/Android, WireGuard is safe against that one.
    • The bad: MacOs and iOs WireGuard are marked as vulnerable to that first attack.
    • The ugly: Windows is marked as “local traffic blocked” which presumably means the attack failed but so does the connection they tried to attack.