security – Richard's blog

Nextcloud and the Open Web

Byrichard 19 January 2024

Two evenings ago I played with setting a No-ip host, setup the Swisscom router to make a Pi available in the DMZ so that I could access the apache server and Nextcloud from the open web and it worked. I had it all done within 15-20 minutes. Now for those with the “But why nextcloud?” the answer is simple. It offers two factor authentication and it is trusted by various EU institutions and governments. It is also trusted by Geneva but I don’t remember by whom, at this point.

Multiple Hacks Due to Vulnerable Apps

I have had a website and web presence on the web since 97 or so but in recent years some of my older projects, but also WordPress, were repetitively hacked to the point that I deleted all the old projects that I had on the site because they made my website vulnerable to attack. Several times my website was locked and I had to spend several hours, or even days to restore access. After a few experiences I streamlined recovery, but I also increased security. Now all my accounts have two factor authentication and each site has a different password.

PhotoPrism Unvetted

In theory PhotoPrism would be fun to have on the open web, because I could upload images, and share them more easily. The drawback is that I haven’t RTFMed (Read the fabulous manual) on two factor authentication for PhotoPrism.

WP and NC Two Factor Authentication

WordPress and NextCloud are both designed with the option for two factor authentication so those are the two sites that I have running. For a while I thought “but if I run it through the tailscale VPN that’s good enough for me” and it is. I’m happy to block off full access to these services, so that only I, and those I share these devices with have access but at the same time it’s good to learn and to experiment.

Easier than Expected

I expected that punching a hole through the server would be complicated but it was easy. I intuitively knew what to do without RTFM. I should add that I have spent the last three years studying related topics so “intuitive” means “put in the hours”.

Firewalled

I also set up UFW the morning before attempting this experiment and I tested whether I had SSH access from the World Wide Web. It’s when I saw that I didn’t that I setup two factor authentication. If that wasn’t the case I would have deleted the no-ip address.

The Advantage of the Open Web

The advantage of having the servers on the open web is that I can share links to files more easily when required to do so. It also means that I can backup photos whilst I’m out, without having to log in through the VPN.

The disadvantage is that I need to verify that my setup is secure and I need to spend time checking that SQLi attacks, among others are not possible. I added wordfence for the WordPress install and brute force protection and two factor authentication to NextCloud. Having done these things I still want to do some more research to ensure that the sites are secure on that one server.

The VPN Advantage

The VPN advantage is that I control access and it’s behind security protocols put in place by Tailscale. It should be harder for people to gain malicious access.

And Finally

Now that I have seen how simple it is to make a home server available to the World Wide Web, rather than hidden behind a VPN I might setup a smaller instance with less storage that is setup to back up photos and videos while I’m hiking and walking, but that would be emptied and moved to a more secure instance within my personal network.

Time for more experimentation.

travel | work

Airport security can be fun

Byrichard 27 February 200728 April 2020

When you fly a lot you get used to the antics of airport security. Sometimes you see people get angry and flustered by their stuff being searched. Sometimes I’ve felt that way as well.

Today was amusing. My bag went through the x ray machine and since it was so full of books dvd and more they wanted to look inside. No one else was passing through at the time so I joked about how they had to keep busy. One of them joked about having to find something to confiscate to keep himself entertained. Shame I had nothing of interest.

I chatted about the DVD in my bag and about a series related to the first one and it was generaly quite friendly.

Hey, when you’ve flown five times in two months you’re bound to be more relaxed about certain aspects, especially when you’re in no rush because you gave yourself enough time.

tech related

E-mail security

Byrichard 4 May 19984 May 2020

Many people have e-mail accounts and enjoy writing to their friends every day, but little do they know about the dangers of hackers or people who have too much time on their hands. A few weeks ago while I was on the computers it struck me how simple it might be to enter someone’s account. I therefore wondered what methods there were of finding passwords.

Chain letters:

We all receive many forwards, chain letters and so on. Sometimes there are some which are like a form asking many harmless questions about your hobbies, favourite foods etc. and you fill these in without thinking very hard. Some of them even include questions such as “What is your dream vacation spot?” or “What would you buy if you won the lottery?” Notice anything? That’s right! They are the same questions as the ones that e-mail providers suggest for the password hint. By sending out this information, you invite people to attempt a break-in..

Watching people and getting to know them:

Getting to know people is another good way of getting passwords. For example one person’s hint was “Who do I like” and if you know the person, it won’t take too long to figure out the password.

Keeping the browser window open and letting someone else use the computer:

Since I have my own laptop, I am safe from this threat. But many times in the computer room I have seen some people leave the browser window open. This may seem fairly harmles but you’re encouraging someone to use your account to send messages under your name. If it happens to be someone honest using the computer after you, then nothing bad should happen. But if it is someone who is bored, angry or just has a twisted or cruel sense of humour, then they may insult a person to whom you were writing. These sorts of pranks can destroy an e-mail friendship without your even knowing why.

To Conclude:

I hope that I have successfully demonstrated that care should be taking in choosing a password and also that you should log out and close Internet Explorer or other browsers before letting someone else use the computer.

safe surfing/ surf’s up/ logging out for now.