#homeLab fun...Randomly checked my #graylog dashboard for self hosted webserver.
-
#homeLab fun...
Randomly checked my #graylog dashboard for self hosted webserver. Oh someone was trying various WordPress vulns again... Let's see the inbound IPs...
Oh,... Oh no. The call is coming from inside the network! In the 192.168.1.0/24 group...
K, check that host... Oh yeah
β
οΈ that's the node that hosts the externally visible reverse proxy service.
Derp,
Well, at least reconfiguration of the proxy and webserver to carry the real client IP was fairly straightforward. Just something I missed during my initial, and subsequent, configuration.Though somewhat risky, connecting computers to the wild network is always a learning experience. My autodidactic ass learns so much from seeing that something can be done then trying naively to do it myself. Bumping up against each and every hurdle informs the why then the how of the best in class solutions. I may not always succeed but I get a better understanding of the tools and technology landscape we exist in.
-
R relay@relay.mycrowd.ca shared this topic
-
#homeLab fun...
Randomly checked my #graylog dashboard for self hosted webserver. Oh someone was trying various WordPress vulns again... Let's see the inbound IPs...
Oh,... Oh no. The call is coming from inside the network! In the 192.168.1.0/24 group...
K, check that host... Oh yeahβοΈ that's the node that hosts the externally visible reverse proxy service.
Derp,
Well, at least reconfiguration of the proxy and webserver to carry the real client IP was fairly straightforward. Just something I missed during my initial, and subsequent, configuration.Though somewhat risky, connecting computers to the wild network is always a learning experience. My autodidactic ass learns so much from seeing that something can be done then trying naively to do it myself. Bumping up against each and every hurdle informs the why then the how of the best in class solutions. I may not always succeed but I get a better understanding of the tools and technology landscape we exist in.
@RyeNCode oh, how do you secure that exposed reverse proxy? (well, besides graylog, ofc)
I have one where I just setup mTLS auth for non-local access. No log monitoring. No fail2ban or the likes... Am I asking for (too much) trouble?
-
@RyeNCode oh, how do you secure that exposed reverse proxy? (well, besides graylog, ofc)
I have one where I just setup mTLS auth for non-local access. No log monitoring. No fail2ban or the likes... Am I asking for (too much) trouble?
@tinsuke
That endpoint gets a LetsEncrypt cert, anything with auth usually requires openId.
I've got fail2ban on one service as it came as a feature.
Been contemplating putting it in more globally.
Also, as much as possible, single responsibility services.
The proxy does proxy stuff.
The web server does static pages.
Other services are containerized and individually secured and isolated as much as possible.
GrayLog is for monitoring, doesn't itself secure anything. But does let me know what to focus on.. (when I monitor the relevant info
)
