New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
this what felt awkward,
and it was already derailed on 17th December.
And that is all 100% true. that is not best practice. hypervisor should never be on public address, if someone hacks it, it can delete all VM's running on that. Me and Calin had a talk about this, and he said he will redo the setup at some point.
If bigger companies can get hacked, and they do from time to time, as some have nothing better to do with their skills, imagine a hypervisor node, protected by a password only, free on the net, how exposed is that?
Even better, let me give you a better example, I am amazed that no one stated this before:
Posting invoice numbers/order numbers on a sales thread, as that is the trend now, it is a bad idea in my point of view, regarding security and anonymity.
At some point the provider might get hacked ( let's just presume this can actually happen ). The intruder now has "declared names in the billing platform" + order and invoice numbers on forums ( not just LET ) where the members posted on the sales thread.
So with a simple excel sheet and some formulas ( not even using AI-GPT ), he can expose a ton of shit.
Now stating the obvious, makes me what?
And again, we are departing the sole purpose of this thread, and that is something I do not wish to do.
If you want a quick and dirty solution to the problem of exposing instances publicly, just install Fail2ban and have it ban after 1-2 attempts. It supports Proxmox.
https://pve.proxmox.com/wiki/Fail2ban
I assume the reason Calin exposes his instances publicly is to allow users to have access to it (i.e. through a restricted PVE user).
Yes, let's complicate something that can be fixed with having them on a management vlan, simple as hell, and 1 single firewall rule on the router/firewall that says:
anything from public addresses to internal management addresses action DROP.
Most effective solutions are the simplest, in any domain/filed. But yes, you can implement fail2ban definitely, and burn expensive IPV4 public addresses rather the using them for your customers, whatever works.
The simplest and most secure way I can think of it is corporate VPN access only. EOL
That's pretty clever. I didn't think of this either and probably even less those people dumping their order numbers everywhere. Getting the billing DB of some spammy host might make it easily possible to dox a whole lot of forum accounts.
@totally_not_banned
Thank you