matsdis

After I fiddle with the firewall rules (or a system install or major upgrade) I usually only do a quick portscan with nmap from another box. (TCP and UDP; only IPv4 only because I disabled IPv6 completely.) There are online port-scan services too, but you never know if they also invite the bots.

I agree with others here that vulnerability-scanning your own applications seems overkill. Like with external virus scanners, I always feel they are just as likely the attack vector themselves. The more complexity, the more risk.

What I do is:

1. Enable unattended system updates (on Debian stable) and automated reboots. And sometimes check if it actually still works.
2. Firewall configuration with a whitelist for public ports, and as a second layer:
3. configure internal services to listen only on localhost, or to filter access by ip/netmask, and
4. put something in front of services that don’t need general public access. (A wireguard tunnel, or HTTP basic auth in your reverse-proxy.)
5. if you expose ssh to the public, make there is some extra step that prevents you from exposing a test user you just created. I’m using the AllowUsers user whitelist, but KbdInteractiveAuthentication no should be good enough too. If the failed login attempts by the bots bother you, you could run sshd on a non-standard port.
6. stop services you no longer use, or at least remove public access.
7. If you have a complex service that needs to be fully public (say a video conference solution, I wouldn’t worry much about a simple static web server) then isolate it from everything else somehow. Ideally on a separate box, make sure it cannot access the internal network, make sure it cannot access any files it doesn’t need. And install those security patches.

Something else I always wanted to do (but never got around doing) is to create a simple canary intrusion detection. Like, putting some important-looking “prod” host into ~/.ssh/config and a private ssh key, and configure the target host to send me a SMS instead when this key tries to log in. (Or even shut everything down automatically.) This should prevent me from becoming part of a botnet for months unnoticed, maybe.

I have a router with a few cronjobs like this:

# m h dom mon dow command  
00 20 12 * * echo "check bank transactions (monthly reminder)"  
00 19 15-21 * * test $(date +\%u) -eq 6 && echo "Anki learning reminder"  

Cron will by default send an email with the script output. So you “just” need a non-broken email setup that forwards system emails to your main account. (Assuming you don’t self-host email too.)

This setup is useful because I have a few other cronjobs (backup scripts, and a health check for my own application) that should notify me in case of failure, and I would eventually notice that this is broken by noticing that those “calendar” emails no longer get through.

but businesses don’t have that luxury. That’s why they use proprietary software

Wait, that doesn’t match my business experience. Those proprietary solutions are usually a collection of open source libraries and DBs and Elasticserach or Redis and whatever running Linux VMs held together with duct tape and a small amount of proprietary application code (compared to everything else) using five different open source frameworks.

Or if you buy, say, a Lasercutter, how do you think they convert the images you prepare for engraving? Their own commercial libraries they bought from someone? Because businesses don’t do open source? Nope. How do you think businesses compile the firmware that goes into their CNC machine? Borland C++? Nope.

When you use the proprietary software, they don’t tell you what went into it. That’s kind of the point - you are buying a solution and only want to know the price. When you host your own instead, you kind of need to know what goes into it, because you didn’t pay someone to do the integration for you.

Or more fundamentally: with open source, you only get what the developer wanted to build. If you want someone to build what you need, you got to be either lucky that the two things align close enough, or find a way to pay someone to focus on your needs instead of theirs. Or you can hope someone else pays someone to make it and then pays a little bit extra to also publish it open source for everyone else to use. Rarely happens, but it does happen.

As for “why is it hard to self-host”, it is only NAT traversal.

TURN, STUN, ICE, etc. are not fun to debug. Not sure if anyone still bothers fiddling with TOS/DSCP on their router. You can build a voice server that just exposes a TCP port, but… latency. And corporate firewalls love to randomly block some UDP port ranges but not others.

Telemetry is in Server -> General -> Allow Anonymous Usage Collection. When you opt-out, it also send a final message to the server that you’ve opted out. The the telemetry itself looks reasonable, I don’t mind sending it. It’s really just the dark pattern of opt-out vs of opt-in that bothers me.

The donate button is the heart in the bottom left menu (not visible in the settings). It’s unobtrusive. I wouldn’t bother to remove it, except the tooltip says that I have to pay to remove it - now it has to go. Asking for donations is fine, but asking for money to remove a button is disgusting.

I’ve set up Kavita for my e-books. Nice UI, looks promising, and I’ve added some books. I haven’t really used it yet, because half of this was just an excuse to try podman (instead of docker). I wanted to set it up to run as unprivileged user, without the docker daemon running as root. That wasn’t too hard, but it was definitely a few extra steps.

But something about Kavita didn’t sit well with me. Maybe I don’t self-host enough stuff to know what’s normal, but there is a donate button, which I don’t mind, but its tooltip says: “You can remove this button by subscribing to Kavita+.”

I’m donating to a few software projects already, and I have developed a substantial amount of free software myself. There is nothing wrong with asking for money. But what I cannot stand is when software running on my own device is intentionally acting against my interests. And this tooltip was very clear about not letting me do something that I might want to do.

So I checked the source code for more. I found another anti-pattern: telemetry is opt-out instead of opt-in. But that seems to be it, I didn’t find anything worse than that. So… fair I guess, if the author wants it that way. It’s still free software. It looks like I could delete all the Kavita+ stuff myself and re-build. Which I’m going to do if I keep using it. But this is now an extra step that prevents me from just using it, because I need to feel in control of what I run. Kind of self-inflicted, I guess…