this post was submitted on 30 Dec 2023
340 points (94.5% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54565 readers
477 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
340
Me vs my ISP (lemmy.dbzer0.com)
submitted 10 months ago* (last edited 10 months ago) by theblueredditrefugee@lemmy.dbzer0.com to c/piracy@lemmy.dbzer0.com
 

So I was looking into getting port forwarding set up and I realized just how closed-off the internet has gotten since the early days. It's concerning. It used to be you would buy your own router and connect it to the internet, and that router would control port-forwarding and what-have-you.

Now, your ISP provides your router, which runs their firmware, which (in my case) doesn't even have the option to enable port forwarding.

It gets worse - because ISPs are choosing NATs over IPv6, so even if you install a custom firmware on your router without it getting blacklisted by your ISP, you still can't expose your server to the internet because the NAT refuses to forward traffic your way. They even devise special NAT schemes like symmetric NAT to thwart hole punching.

Basically this all means that I have to purchase my web hosting separately. Or relay all the traffic through an unnecessary third party, introducing a point of failure.

It's frustrating.

I like to control my stuff. I don't like to depend on other people or be in a position where I have to trust someone not to fuck with my shit. Like, if the only thing outside my apartment that mattered to my website was a DNS record, I'd be really happy with that.

Edit: TIL ISPs in the US don't have NATs

Edit 2: OMG so much advice. My knowledge about computers is SO clearly outdated, I have a lot of things to read up on.

Edit 3: There's definitely a CGNAT involved since the WAN ip in the router config is not the same as the one I get when I use a website that echos my IP address. Far as I can tell ~~my devices don't get unique IPv6 addresses either~~. (funnily enough, if I check my IP address on my phone using roaming data, there's no IPv6 address at all). It's a router/modem combo, at least I think since there's only one device in my apartment (maybe there's a modem managing the whole complex or something?). And it doesn't have a bridge mode, except for OTT. Might try plugging my own router into it, but it feels like a waste of time and money from what I'm seeing. Probably best to just host services over a VPN or smth.

Edit 4: Devices do get unique IPv6 addresses, but it's moot since I can't do anything but ping them. I guess it wouldn't be port forwarding but something else that I would have to do that my router doesn't support

you are viewing a single comment's thread
view the rest of the comments
[–] lud@lemm.ee 1 points 10 months ago (1 children)

Why use your ISPs router then? Just buy your own.

And a webserver is probably the safest thing to put online.

You can also put the server in a DMZ and or use reverse proxy's and a bunch of other stuff.

[–] Aradia@lemmy.ml 1 points 10 months ago (1 children)

I already have my own router, even if a web server is safer, you are still exposing your IP which is what I don't want to do. DMZ doesn't solve anything, is just worse than setting up a port forward as you are opening all the ports to the server at home, your server at home has access to all your network so once infected by any 0-day exploit, you are fucked up.

I just hire online servers and I have my own Ansible playbooks to manage those servers, this way I don't provide my real IP (my home) to anyone.

[–] lud@lemm.ee 1 points 10 months ago* (last edited 10 months ago) (1 children)

as you are opening all the ports to the server at home, your server at home has access to all your network so once infected by any 0-day exploit, you are fucked up.

No, the entire point of a DMZ is to insulate a device from the rest of the network and you can (should) configure which ports that are forwarded to the DMZ, don't just forward everything. You can (should) also configure a bunch of other normal firewall rules for the DMZ.

Personally I don't consider "exposing" your home IP to be a big deal. It's just an IP.

[–] Aradia@lemmy.ml 1 points 10 months ago* (last edited 10 months ago) (1 children)

https://en.wikipedia.org/wiki/DMZ_(computing)#DMZ_host -> By definition, this is not a true DMZ (demilitarized zone), since the router alone does not separate the host from the internal network.


Home routers aren't firewalls or something similar, they have some minimal logic that can act like a firewall, but they aren't. There is no need to expose your IP, there are many alternatives to do stuff without exposing it.

[–] lud@lemm.ee 1 points 10 months ago (1 children)

I'm of course referring to a real DMZ and not a DMZ host.

I won't call home routers "not firewalls" just bad firewalls Surprisingly even Cisco firewalls support DMZ hosts. I have no idea why you would ever what to use that.

There is no need to expose your IP, there are many alternatives to do stuff without exposing it.

. Maybe but why would it matter, especially enough to pay cloud bills?

I have a cheap VPS for my website but that is just because I'm behind a CGNAT and I won't bother to solve that.

[–] Aradia@lemmy.ml 1 points 10 months ago* (last edited 10 months ago) (1 children)

I’m of course referring to a real DMZ and not a DMZ host.

Maybe but why would it matter, especially enough to pay cloud bills?

Because we are talking home-made stuff, we didn't talk about a real firewall or any infrastructure, and even doing that is much more expensive than the cheap VPS.

I have a cheap VPS for my website but that is just because I’m behind a CGNAT and I won’t bother to solve that.

Same, that's why I am saying there is no need to expose your IP, unnecessary risks.

[–] lud@lemm.ee 1 points 10 months ago (1 children)

Same, that's why I am saying there is no need to expose your IP, unnecessary risks.

You will learn much more with self hosting at home though. Which is arguably worth much more.

Same, that's why I am saying there is no need to expose your IP, unnecessary risks.

Why is it a risk?

[–] Aradia@lemmy.ml 1 points 10 months ago (1 children)

You will learn much more with self hosting at home though. Which is arguably worth much more.

Much more? It's the same... What's the difference?

Why is it a risk?

https://security.stackexchange.com/questions/41983/what-risks-are-involved-in-exposing-our-home-computers-over-the-public-internet ...

[–] lud@lemm.ee 1 points 10 months ago (1 children)

Much more? It's the same... What's the difference?

You would learn more about the hardware site and maybe more about setting up stuff like VM hosts and of course security.

Basically you learn everything from start to finish. Maybe you could even setup a proper VM host using proxmox or something.

You might not care about that, and that's perfectly fine. But I suspect that most people that selfhosts (at home or cloud) are probably going to be the type of person that wants to learn more.

https://security.stackexchange.com/questions/41983/what-risks-are-involved-in-exposing-our-home-computers-over-the-public-internet

So as expected it isn't really risky as long as you take the appropriate security actions. Especially if you have insulated the server on a DMZ or VLAN. In most cases, personal websites are essentially disposable as long as you keep backups. You are probably not handing payment or personal data or anything else sensitive. The biggest risk is probably ddos but who really ddos a random website and the same risk applies to a VPS except that a ddos could use all your allocated bandwidth.

A VPS doesn't solve any security issues with your website itself. SAAS (like paying wordpress instead of hosting a WP server at home or on a VPS) might help but that's boring and more expensive.

If all you're doing is hosting a simple website, you really don't need to worry. Just take the basic security steps that you would do on a VPS anyways. If you use wordpress I would be a bit more cautious since they are extremely popular targets.

[–] Aradia@lemmy.ml 0 points 10 months ago (1 children)

I'm getting a bit tired of your replies.

Basically you learn everything from start to finish. Maybe you could even setup a proper VM host using proxmox or something.

The cost of a server at home as you are saying is much more than hiring it online. The only difference is how you boot the BIOS to install the ISO burned into a USB. A hosting service would require you to do it different, and you will anyway learn it in this way, which could help you in the future to deploy some product ready or for your work. So there is no difference at all, and you also need to secure it.

So as expected it isn’t really risky as long as you take the appropriate security actions.

I don't know if you really read it. It is saying that you can never expect when a new 0-day vulnerability comes out. Like: https://venafi.com/blog/ssh-vulnerability-allows-authentication-without-password/ → "attacker could successfully authenticate without any credentials"

A VPS doesn’t solve any security issues with your website itself.

Yeah, it solves that they only infect your server on a hosting provider and not your home where you have your phone, router, more devices where they can test more exploits to them. Also, your hosting provider normally also monitors for suspicious requests so if it is infected, your provider will inform you of suspicious activities.

[–] lud@lemm.ee 0 points 10 months ago* (last edited 10 months ago) (1 children)

I'm getting a bit tired of your replies.

Ditto

The cost of a server at home as you are saying is much more than hiring it online. The only difference is how you boot the BIOS to install the ISO burned into a USB. A hosting service would require you to do it different, and you will anyway learn it in this way, which could help you in the future to deploy some product ready or for your work. So there is no difference at all, and you also need to secure it.

Cost highly depends on what you buy. A proxmox host can be expensive but a raspberry pi isn't.

You can do much more at home, like setting up complicated VM hosts and learn networking. Few servers actually run on bare metal these days, it's all VMs now.

I don't know if you really read it. It is saying that you can never expect when a new 0-day vulnerability comes out. Like: https://venafi.com/blog/ssh-vulnerability-allows-authentication-without-password/ → "attacker could successfully authenticate without any credentials"

The same would happen on a VPS...

Yeah, it solves that they only infect your server on a hosting provider and not your home where you have your phone, router, more devices where they can test more exploits to them. Also, your hosting provider normally also monitors for suspicious requests so if it is infected, your provider will inform you of suspicious activities.

Like I said multiple times, insulate the server from your LAN.

If you know what you are doing there is nothing to worry about. The only attackers a small personal website will encounter are automated bots.

If it ever gets infected which it likely won't unless you are doing something incredibly stupid like exposing SSH with default passwords (or even enabling password authentication at all honestly, auth should be key based.) Just reinstall the device/VM that got infected.

It is fine to refuse to host at home but don't fearmonger others that want to save money and learn more about security, networking, virtualization, and other homelab stuff. And some people just want a single raspberry pi hosting their simple website, that is very cheap and secure enough. You don't need to pay cloud bills if you want a website. That is my point. You can, but you don't need too.

[–] Aradia@lemmy.ml 1 points 10 months ago (1 children)

They can learn that all without exposing their IP. You don't really get it, huh.... good luck.

[–] lud@lemm.ee 1 points 10 months ago (1 children)

But it doesn't matter if you expose your IP.

[–] Aradia@lemmy.ml 1 points 10 months ago (1 children)

It does matters if you expose your IP.

That's why tunnels like Cloudflare and AWS exists to serve your home services to the public without exposing your IP. https://www.kali.org/tools/routersploit/ is a tool for example to target routers, if bad hackers can make botnet to brute force your servers 24/7, they can implement other exploits and you better don't take any mistake any day.

The only safe device is the one isolated from internet and others connections. If you really want to learn to have your own home lab, then learn it → https://tailscale.com/ and stop being lazy, there is no need to expose your IP, there is absolute no reason unless you are that lazy, but even you said you prefer paying a cheap VPS than messing with it.

Say it again, let's keep this loop going, but work a bit more on your responses.

[–] lud@lemm.ee 0 points 10 months ago (1 children)

Please learn at least something about network security before commenting again.

Thanks.

[–] Aradia@lemmy.ml 0 points 10 months ago

I already know about network security.