Self-Hosted Main

502 readers

4 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 1 year ago

MODERATORS

[email protected]

Do you know of any Android/iOS app that keeps track of the current device IP and allows the user to send the IP via webhook (or anything alike) to a server? (alien.top)

submitted 10 months ago by [email protected] to c/[email protected]

10 comments fedilink hide all child comments

Reason for my question is the following:
I want to host some services on my public server and while they all have normal password protection, I want to ensure the security a tiny bit more. Therefore I want to limit the access to the specific services through ufw and nginx to specific IP addresses. For my homeaddress I can use DYNDNS to get my current IP. However that will not work for my phone, when I'm on the go.
I don't want to constantly use vpn, as it slows down the speed of the internet connection significantly. Instead I would much prefer to just simply keep my server updated on my phones IP, so I can update the necessary config files through a script and thus allow my phone to access the services, where ever I am.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 10 months ago

Your describing port knocking.

An interesting and (effective?) security by obscurity technique.

An example:

Host port 443 web server, but by default the port is fully firewalled unless you give the secret "knock".

So you hit port 5444 first, the router sees a request to 5444, and adds the source address to a list of allowed devices for the actual 433 port. Now, just your client ip can successfully connect to port 443 as normal.

Most security researchers balk at it as wholly dumb and ineffective. But I disagree. With port knocking I get ZERO hits to my publicly exposed SSH port 22 on my actual server. The firewall shows all the port scanners hitting my block port 22, thousands per day. But unless they hit my secret combo of ports first, they don't get to the allow port 22 rule.

More complex rule would be used in production:

Hit port 5001, then 5009, then 6120, then 4001 now you can hit your actual service port. And if you don't hit them in order, no go. To reach 5009, you must hit 5001 first, to hit 6120, you must have hit 5009, which already required to have hit 5001. Add a rule where if you hit 5008, it all closes and starts over to preclude a port scanner from triggering all your rules.

Mikrotik routers have the ability to do this with firewall rules that just trigger and add a client ip to a transient src-address list. The longer your chain the better.

Android has an app called "port knocker" that makes it easy to open the door any time automatically.

Only issue is someone watching your traffic will easily see your port knocks, but that's a local, persistent adversary, not a transient scan, so yea, I get why serious security people say meh, but the threat your preventing as an individual is the random drive by scans and brute force scripts, and it's 100% effective at preventing those.