sylver_dragon

All of the above.

Is it that ISPs are being paid by tech-bros to assign them these IPs?

Bullet Proof Hosting is a thing. Some ISPs basically advertise to criminals about their ability to evade take down orders and unwillingness to work with law enforcement. So, some infrastructure ends up on these devices. However, the IP ranges from these services often get discovered and are added to public reputation and block lists.

Along side this, cloud providers are pretty bad about policing their networks. On my own home server, I have blocked much of the Digital Ocean IP space, as it’s home to a lot of scanners, bots and other malicious traffic.

Is it that residential devices have been hacked /contain malware that does this?

This happens, a lot. The Mirai Botnet thrived on compromised home routers. People are pretty bad at updating their devices and many SOHO routers ship with some pretty bad vulnerabilities. It’s only a matter of time until someone finds an unpatched or misconfigured router and adds it to a botnet. People also get phished or install trojans all the time, adding to botnets. Darknet Diaries just had a fantastic episode on the Bayrob malware, part of which was turning infected machines into a custom botnet.

Is it trivial for companies to assign themselves residential IPs?

Some ISPs just look the other way when they get reports of malicious activity on their network. Also, attackers can force a DHCP refresh and just get a new IP when the old one seems blocked. Getting one in the first place is often as simple as signing up for service and/or compromising someone’s home PC and using it as a relay.

Paid volunteers are doing this for AI companies?

This probably happens. Afterall, we’ve already seen a company selling an AI product which was just workers in India.

Obviously this is a problem because one can rotate / cycle through residential IPs and if I aggressively block each offender in my logs permanently, then the next person assigned this IP who may be a legitimate user will be unable to access my site.

Look into Fail2Ban. This program monitors your logs and will ban IPs automatically based on criteria you set. This can include specific HTTP requests in your web logs. The ban can be permanent or can be time limited. For example, I have a container running in a cloud provider which I use to proxy requests through my ISP’s CGNAT setup. There is an NGinx reverse proxy running there and I have fail2ban watching the access log. If certain request strings are seen, the sending IP gets dumped in a permanent jail. I also have it scanning the sshd logs and banning IPs which fail to login 3 times within a short period.

It’s far from a silver bullet, but it’s something which should be running on any web facing system. Attackers will always be rattling the door knobs. There is no reason to let them keep rattling away.

A joke is a lot like a frog, it can be informative to dissect it, but the patient usually dies in the process.

IT is what you do when you are good with computers and not so much with people. You get really good at making the magic number boxes work for the MBAs and start explaining RFCs or networking protocols so that they fuck back off upstairs so you can go back to digging through log files and pcaps. It’s all just puzzle solving, reading and a crippling fear of social interactions.

AI Slop code base. Did Microsoft go open source?

I can think of a couple of reasons off the top of my head.

You don’t say, but I assume you are working on-site with your work system. So, the first consideration would be a firewall at your work’s network perimeter. A common security practice is to block outbound connections on unusual ports. This usually means anything not 80/tcp or 443/tcp. Other ports will be allowed on an exception basis. For example, developers may be allowed to access 22/tcp outbound, though that may also be limited to only specific remote IP addresses.

You may also have some sort of proxy and/or Cloud Access Security Broker (CASB) software running on your work system. This setup would be used to inspect the network connections your work system is making and allow/block based on various policy settings. For example, a CASB might be configured to look at a domain reputation service and block connections to any domain whose reputation is consider suspect or malicious. Domains may also be blocked based on things like age, or category. For this type of block, the port used won’t matter. It will just be “domain something.tld looks sketchy, so block all the things”. With “sketchy” being defined by the company in it’s various access policies.

A last reason could be application control. If the services you are trying to connect to rely on a local program running on your work system, it’s possible that the system is set to prevent unknown applications from running. This setup is less common, but it growing in popularity (it just sucks big old donkey balls to get setup and maintain). The idea being that only known and trusted applications are allowed to run on the system, and everything else is blocked by default. This looks like an application just crashing to the end user (you), but it provides a pretty nice layer of protection for the network defenders.

Messing with the local pc is of course forbidden.

Ya, that’s pretty normal. If you have something you really need to use, talk with your network security team. Most of us network defenders are pretty reasonable people who just want to keep the network safe, without impacting the business. That said, I suspect you’re going to run into issues with what you are trying to run. Something like SyncThing or some cloud based storage is really useful for businesses. But, businesses aren’t going to be so keen to have you backing their data up to your home server. Sure, that might not be your intention, but this is now another possible path for data to leave the network which they need to keep an eye on. All because you want to store your personal data on your work system. That’s not going to go over well. Even worse, you’re probably going to be somewhat resistant when they ask you to start feeding your server’s logs into the businesses log repository. Since this is what they would need to prove that you aren’t sending business data to it. It’s just a bad idea all around.

I’d suspect Paperless is going to run into similar issues. It’s a pretty obvious way for you to steal company data. Sure, this is probably not your intention, but the network defenders have to consider that possibility. Again, they are likely to outright deny it. Though if you and enough folks at your company want to use something like this, talk with your IT teams, it might be possible to get an instance hosted by the business for business use. There is no guarantee, but if it’s a useful productivity package, maybe you will have a really positive project under your belt to talk about.

FreshRSS you might be able to get going. Instead of segregating services by port, stand up something like NGinx on port 443 and configure it as a reverse proxy. Use host headers to separate services such that you have sync.yourdomain.tld mapped to your SyncThing instance, office.yourdomain.tld mapped to your paperless instance and rss.yourdomain.tld mapped to FreshRSS. This gets you around issues with port blocking and makes managing TLS certificates easier. You can have a single cert sitting in front of all your services, rather than needing to configure TLS for each service individually.

Ya, I actually run both uBlock Origin and NoScript in my browser on my phone and personal machine (desktop). On my work laptop, those are a no-go. So, I get the full ads experience on my work machine when traveling.

I run Pi-Hole in a docker container on my server. I never saw the point in having a dedicated bit of hardware for it.
That said, I don’t understand how people use the internet without one. The times I have had to travel for work, trying to do anything on the internet reminded me of the bad old days of the '90s with pop-ups and flashing banners enticing me to punch the monkey. It’s just sad to see one of the greatest communications platforms we have ever created reduced to a fire-hose of ads.

I started self hosting in the days well before containers (early 2000’s). Having been though that hell, I’m very happy to have containers.
I like to tinker with new things and with bare metal installs this has a way of adding cruft to servers and slowly causing the system to get into an unstable state. That’s my own fault, but I’m a simple person who likes simple solutions. There are also the classic issues with dependency hell and just flat out incompatible software. While these issues have gotten much better over the years, isolating applications avoids this problem completely. It also makes OS and hardware upgrades less likely to break stuff.

These days, I run everything in containers. My wife and I play games like Valheim together and I have a Dockerfile template I use to build self-hosted serves in a container. The Dockerfile usually just requires a few tweaks for AppId, exposed ports and mount points for save data. That paired with a docker-compose.yaml (also built off a template) means I usually have a container up and running in fairly short order. The update process could probably be better, I currently just rebuild the image, but it gets the job done.

But, but, docker, kubernetes, hyper-scale convergence and other buzzwords from the 2010’s! These fancy words can’t just mean resource and namespace isolation!

In all seriousness, the isolation provided by containers is significant enough that administration of containers is different from running everything in the same OS. That’s different in a good way though, I don’t miss the bad old days of everything on a single server in the same space. Anyone else remember the joys of Windows Small Business Server? Let’s run Active Directory, Exchange and MSSQL on the same box. No way that will lead to prob… oh shit, the RAM is on fire.

I know that, during my own move from Windows to Linux, I found that the USB drive tended to lag under heavy read/write operations. I did not experienced that with Linux directly loaded on a SATA SSD. I also had some issues dealing with my storage drive (NVMe SSD) still using an NTFS file system. Once I went full Linux and ext4, it’s been nothing but smooth sailing.

As @MagicShel@lemmy.zip pointed out, performance will depend heavily on the generation of USB device and port. I was using a USB 3.1 device and a USB 3.1 port (no idea on the generation). So, speeds were ok-ish. By comparison, SATA 2 can have a transfer rate of 2 GB/s. And while the SSD itself may not have saturated that bandwidth, it almost certainly blew the transfer rate of my USB device out of the water. When I later upgraded to an NVMe drive, things just got better.

Overall, load times from the USB drive is the one place I wouldn’t trust testing Linux on USB. It’s going to be slower and have lag compared to an SSD. Read/Write performance should be comparable to Windows. Though, taking the precaution of either dual booting or backing up your Windows install can certainly make sense to test things out.

Fun fact, in some countries the 3.5" floppies were called “stiffy disks”. You know, because the outer casing was “stiff” as opposed to the floppy 5.25" disks. This discovery led to a lot of chuckling among the team I worked with when we opened a new product from one of those countries and read the manual. The instruction to “insert stiffy disk” still leads most of us to chuckling today.

ever had to worry whether you’d parked your hard drive’s heads before moving it, child…?

Yes, also you parked it before shutting down the system every time. Once the hard drive was powered down, the heads would just crash into the platters. While not instantly fatal, it wasn’t good for the drive. So, you’d park the drive before flipping the power switch.

It’s been a few of years since did my initial setup (8 apparently, just checked); so, my info is definitely out of date. Looking at the Ubuntu site they still list Ubuntu 16.04, but I think the info on setting it up is still valid. Though, it looks like they only list setting up a mirror or a stripe set without parity. A mirror is fine, but you trade half your storage space for complete data redundancy. That can make sense, but usually not for a self hosting situation. A stripe set without parity is only useful for losing data, never use this. The option you’ll want is a raidz, which is a stripe set with parity. The command will look like:

zpool create zpool raidz /dev/sdb /dev/sdc /dev/sdd

This would create a zpool named “zpool” from the drives at /dev/sdb, /dev/sdc and /dev/sdd.

I would suggest spending some time reading up on the setup. It was actually pretty simple to do, but it’s good to have a foundation to work with. I also have this link bookmarked, as it was really helpful for getting rolling snapshots setup. As with the data redundancy given by RAID, it does not replace backups; but, can be used as part of a backup strategy. They also help when you make a mistake and delete/overwrite a file.

Finally, to answer your question about hardware, my recollection and experience has been that ZFS is not terribly demanding of CPU. I ran a Intel Core i3 for most of the server’s life and only upgraded when I realized that I wanted to game servers on it. Memory is more of an issue. The minimum requrement most often cited is 8GB, but I also saw a rule of thumb that you want 1GB of memory for each TB of storage. In the end, I went with 8GB of RAM, as I only had 4TB of storage (3 2TB disks in a RAIDZ1). But, also think about what other workloads you have on the system. When built, I was only running NextCloud, NGinx, Splunk, PiHole and WordPress (all in docker containers). And the initial 8GB of RAM was doing just fine. When I started running game servers, I stared to run into issues. I now have 16GB and am mostly fine. Some game servers can be a bit heavy (e.g. Minecraft, because fucking Java), but I don’t normally see problems. Also, since the link I provided mentioned it, skip ECC memory. it’s almost never worth the cost, and for home use that “almost never” gets much closer to “actually never”.

When choosing disks, keep in mind that you will need a minimum of 2 disks and you effectively lose the storage space of one of the disks in the pool to parity storage (assuming all disks are the same size). Also, it is best for all of the disks to be the same size. You can technically use different size disks in the same pool; but, the larger disks get treated as the same size as the smaller disks. So long as the pool is healthy, read speeds are better than a single disk as the read can be spread out among the pool. But, write speeds can be slower, as the parity needs to be calculated at write time. Otherwise, you’re pretty free to choose any disks which will be recognized by the OS. You mention that 1TB is filling up; so, you’ll want to pick something bigger. I mentioned using spinning disks, as they can provide a lot more space for the money. Something like a 14TB WD Red drive can be had for $280 ($20/TB). With three of those in a RAIDZ1 pool, you get ~28TB of storage and can tolerate one disk failure , without losing data. With solid state disks, you can expect costs closer to $80/TB. Though, there is a tradeoff in speed. So, you need to consider what type of workloads you expect the storage pool to handle. Video editing on spinning rust is not going to be fun. Streaming video at 4k is probably OK, though 8k is going to struggle.

A couple other things think about are space in the chassis, drive connections and power. Chassis space is pretty obvious, you gotta put the disks in the box. Technically, you don’t have to mount the disks, they can just be sitting at the bottom of the case, but this can cause problems with heat shortening the lifespan of the drives. It’s best to have them properly mounted and fans pushing air over them. Drive connections are one of those, you either have the headers or you don’t. Make sure your motherboard can support 3 more drives with the chosen interface (SATA, NVMe, etc.) before you get the drives. Nothing sucks more than having a fancy new drive only to be unable to plug it into the motherboard. Lastly, drives (and especially spinning drives) can be power hungry. Make sure your power supply can support the extra power requirements.

Good luck whatever route you pick.

Probably the easiest solution would be to just chuck a larger disk in the system and retain the original drive for the operating system. If you do not need the high speed of an SSD, you may be able to get more storage space for the money by going with a spinning disk. 7200RPM drives are fast enough for most applications, though you may run into issues streaming 4K (or higher) resolution video.

Another option would be to start building out a storage pool using some type of RAID technology. On my own server, I use ZFS for the data partition. It is basically a software RAID. I use a RAID-Z1 configuration, which stripes the data over multiple disks (three in my case) and uses a parity calculation to provide data redundancy. It also has the advantage that it can be expanded to new disks dynamically and does not require that all disks are the same size. Initial setup does require more work and you are now monitoring multiple physical disks, but having a unified storage pool and redundancy is a nice way to go.

Any way you go, just make sure you have good backups. Drives fail, and sometimes even early in their life. Backblaze reports can be an interesting read when looking at drive options, as they really do put the drives through the wringer.

Yup, that’s a bug in the chair-keyboard interface.

I think it’s less about the tech picked and more about developers with no sense of security and a poor understanding of networking. I’ve seen far too many web applications where the developer needed some sort of database behind it (MySQL, PostGres, MSSQL) and so they stood up either a container or entire VM with a public IP and whatever the networking layer set to allow any IP to hit the database port. The excuse is almost always something like, “we needed the web front end to be able to reach the database, so we gave the database server/container a public IP and allowed access”. Which is wonderful, right up until half of the IP addresses in Russia start trying to brute force the database.

Ya, Secure Boot is really only useful for corporate devices or very specific people who might actually be targeted by state level attackers. For most of us, it’s not worth the hassle.

do any of you hate how self-hosting services like photo- or document-management systems, or even a simple rss tool, forces you to sort your stuff out, and put your decades old files in order?!

What is this “sort” thing you speak of? I don’t sort anything, I have NextCloud syncing my entire photos, videos and documents folders and they are just as messy as ever. Granted, I do go through my photos and videos once a year and dump them in a folder named for the year they were taken. Occasionally, I’ll go hog wild and try to sort some of a year’s photos/videos into folders named after events. Though, that hasn’t happened in a number of years. I setup NextCloud so I could have everything synced to my own server and just forget, not have to deal with labeling my data.

As for bookmarks. I already keep those in folders; but, I don’t sync those. I use my desktop far more than I use my phone for web browsing. And the types of things I use my phone for (mostly recipes), I just keep bookmarked there.

The first issue with running a coin miner is using company resources for your own profit. Your own system, using your own electricity, go for it. Running it on a company owned laptop, while at a company building, burning electricity the company is paying for. Ya, that starts to get uncomfortably close to fraud or theft. There is also that whole, “running unauthorized software on a company system, doing who knows what else in the background.” There is a very real possibility that the coin miner has unknown vulnerabilities which could allow remote code execution; or, just outright be malicious and contain a remote access trojan. Maybe he was smart enough to audit all the code it was using and be very sure that’s not the case. More likely, he just grabbed a random implementation of XMRIG, put his wallet in the config file and ran it. Either way, he also made a point of refusing to remove it, so we escalated up to management. With the recent ransomware outbreak having been in the multi-million dollar (possibly low tens of millions) damage range, refusing to remove unauthorized software went over about as well as a lead balloon. There may have been other factors at play; but, the unauthorized software and being a dick about removing it was what got him out the door.

If you spin it up, fucking own it. When you’re done with it, shut it down. I have long lost count of the number of times I’ve reached out to a team to ask about the coin miner they are running on some random EC2 instance only to find out that some jackass spun it up for a test, gave it a public IP, set the VPC to allow any inbound traffic, installed all kinds of random crap and then never updated it. Nor did it get shutdown when the test ended. So, a year and a half later, when the software was woefully out of date, someone hacked it and spun up a coin miner. Oh, and the jackass who set it up didn’t bother to enable logging or security monitoring. But, they sure as hell needed the ability to spin stuff up on their own. Because working with IT to get it done right would be too hard for their fragile little ego.