You can reduce doorknob turning dramatically by running on a non-standard port.
Scanners love 80 and 443, and they really love 20, but not so much 4263.
I used to run a landing page on my domain with buttons to either the request system / jellyfin viva la reverse proxy. If you’re paranoid about it, tie nginx to a waf. If you’re extra paranoid, you’ll need some kind of vpn / ip allow-listing
That looks promising. Just keep in mind that this will take a very long time to run. I believe there is a *arr out there that can manage this / show progress, but the name escapes me
Hey! Best of luck, I’m actually going down the same road at the moment :)
I would build it yourself - it’s more fun, and is cheaper than renting over a shorter-than-you-would-think time period.
The first thing to know is whether or not you can port-forward / if your isp has you behind nat.
Exposing virtual disks is relatively straightforward, or even just storage quotas on a single disk. I’m about to jump into the wide world of zfs; I need to glue together 4+ disks into a single storage array.
If you want everyone to have a separate VM, you’ll need some kind of hypervisor underneath. Could you grant everyone a user account in a single system, and use docker for separation?
It sounds like the others will be connecting remotely - make sure you use ssh keys (not passwords) and disable root over ssh. Once ssh is exposed to the internet, you’ll see a lot of failed login attempts
The VPN catches all network traffic and puts it far away - you can’t be on vpn and see local network resources (casting targets) at the same time.
If your vpn has an app, check your settings for something like “local network access”.
Otherwise, start reading about split-tunnels and/or default gateways
Yes - the nodes are obsidian pages (markdown files), this view is a napkin-type layout thing that is built in; I haven’t played much with it
You’re running docker inside a vm? Why?
The first thing I would do is learn the 5-layer OSI model for networking. (The 7-layer is more common, but wrong). Start thinking of things in terms of services and layers. Make a diagram for each layer (or just the important layers. Layers 3 and up.)
If you can stomach it, learn network namespaces. It lets you partition services between network stacks without container overhead.
Using a vm or docker for isolation is perfectly fine, but don’t use both. Either throw docker on your host or put them all in as systemd services on a vm.
Spread-spectrum audio watermarks will survive multiple re-encodings and are extremely difficult to detect.
Iirc google widevine will embed a device code, and if a pirated copy of some content is found, they will blacklist the gpu’s device code so it can’t receive 4k content anymore. That’s video, but it’s the same idea.
Streaming sites can embed an unhearable data stream into audio signal. It’s possible
That being said, it’s extremely improbable, given the costs to do it at scale.
If you’re part of a large company’s beta program and have access to some unreleased product, maybe worry.
If you grabbed a file from some mega host updown whatever site, don’t worry.
And if you’re still worried, take a sha256 hash and put it into google search. If you get any results that even mention your file’s title, then you’re good.
I recommend 3.5s - they’ll be a little cheaper and a little more readily available. It’s also worth noting that sata drives can plug into your SAS controller, so you can use any and all 3.5” drives that you can find :)
You’ll want to learn the difference between SAS and SATA connectors. You can very probably use either. 3.5 inch is the “standard” size, while 2.5 inch was more popular for laptops. However, in the interest of density, servers started accepting 2.5 inch drives to fit more drives per rack.
You can get great deals on used sas drives on ebay, but if you don’t know how to monitor s.m.a.r.t. data / rebuild a zfs array, that can be very very risky. You need to be able to survive concurrent disk failures.
Honestly your best bet is brand new western digital or seagate drives. Buy them on amazon, but double check that the seller is legit. That’s it.
Networking is super simple - or at least it started out like that. Then we ran out of numbers, and had to invent nat. Then we invented ipv6, which has lots of numbers, but is unfathomably complicated.
I recommend learning about NAT / network address translation. NAT is not a stateful firewall, but acts kinda like one.
You can understand a stateful firewall by understanding the tcp handshake. TCP is hugely important. Don’t worry about fin_wait_2 and that nonsense, just get syn/synack/ack down.
People will brush off udp because it’s easier, but it’s also important.
Once you get NAT/stateful firewalls, I would look into wireguard. That’s the protocol underneath tailscale. Know that it wraps your tcp packets in an encrypted udp datagram. Then find out how tailscale sets up your wireguard connections without port forwarding - or don’t, as webrtc-style signaling is famously impossibly complicated.
Here’s what you should do - spin up all the services you want, but put them behind an nginx reverse proxy. Then put that behind a WAF. Getting those layers aligned will teach you a huge amount of useful stuff.
In general, don’t worry about hackers unless exposing a port to the internet. Then worry. Your router’s stateful firewall will do a good job until you poke holes in it.
If you want a cool side project, listen on port 20 and dump the characters that the web scanners send to you. If they don’t send anything, send a username prompt after the tcp handshake - the robots will give you the login creds that they try against weak boxes :)
Extremely. It’s just slow, but once you get used to that, it’s solid.
Wireguard creates a new network interface that accepts, encrypts, wraps, and ships packets out your typical network interface.
If you were to create a kernel network namespace and move the wireguard interface into that new namespace, the connection to your existing nic is not broken.
You can then use some custom systemd units to start your *rr software of choice in said namespace, rendering you immune to dns leaks, and any other such vpn failures.
If you throw bridge interfaces into the mix, you can create gateways to tor / i2p / ipfs / Yggdrasil / etc as desired. You’ll need a bridge anyway to get your requester software interface exposed to your reverse proxy.
Wireguard also allows multiple peers, so you could multi-nic a portable personal device, and access all your admin interfaces while traveling, with the same vpn-failure-free peace of mind.
Put http://0.0.0.0:11473
Your current setting is the “loopback” address. You’re listening for traffic to this address, and the only thing that can send to the loopback is yourself. This is a safe default, it means only the computer running the software can talk to it. Generally 0.0.0.0 listens on all available addresses. If that doesn’t work, use your local / internal ip.
This ui smells like it’s trying to hide the implementation details, but that makes things extremely difficult when troubleshooting