this post was submitted on 22 Nov 2023
5 points (100.0% liked)

Self-Hosted Main

511 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

Like the title says, I'm new to self hosting world. πŸ˜€ while I was researching, I found out that many people dissuaded me to self host email server. Just too complicated and hard to manage. What other services that you think we should just go use the currently available providers in the market and why? πŸ™‚thank you

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 11 months ago (6 children)

Clearly opening RDP port on internet. NEVER.

[–] [email protected] 1 points 11 months ago (1 children)

What do you mean by "clearly". Open RDP without password protection?

I often use RDP to access my desktop Windows 10.

[–] [email protected] 1 points 11 months ago (1 children)

The password isn't enough. It's not a hardened protocol and vulnerabilities are found in it with some regularity. There have been unauthenticated RCEs before, ie nightmare scenario.

[–] [email protected] 1 points 11 months ago (1 children)

Those vulnerabilites come from humans clicking on files they're not supposed to click on. NO way of communication is secure against that. Not even the magic of Tailscale. RDP offers 2FA and has an encrypted connection. It's fine!

[–] [email protected] 1 points 11 months ago (1 children)

Even Microsoft recommends against opening rdp to the web and to use a VPN instead.

You're playing with fire here.

[–] [email protected] 1 points 11 months ago

Microsoft recommends against opening rdp to the web

As far as a few google searches got me: No, they don't.

[–] [email protected] 1 points 11 months ago (1 children)

What is wrong with that? Don't they still need correct credentials to connect?

[–] [email protected] 1 points 11 months ago (1 children)

The service itself is insecure. You need to hide it behind a more secure setup if you want to expose it to the internet. It's been a long while since I tried, but I have some foggy memories of an RDP Server that would encapsulate the connection in an SSL tunnel and forward the connection to the remote machine rather than exposing the RDP client itself to the internet.

Definitely do your research on how to do it securely before you just set it up and open it to the wild.

[–] [email protected] 1 points 11 months ago (1 children)
[–] [email protected] 1 points 11 months ago (1 children)

Oh sure, VPN is definitely the preferred way if you already have the infrastructure in place. My experience with the front-end RDP server was years ago as the sysadmin for a company. My experience is likely very out of date, and was very corporate-focused, rather than for an enthusiast.

Nowadays I try not to touch Windows, and haven't used RDP in years.

[–] [email protected] 1 points 11 months ago

These days there are so many bots scanning that you have to be so careful.

[–] [email protected] 1 points 11 months ago (1 children)

I have a load balancer on my network that has opened one port on my home network. The load balancer is connected over the cloud flare and is encrypted on both sides. Is that okay?

[–] [email protected] 2 points 11 months ago

Why you chose to open a port, if you use cloudflare? Couldn't you use cloudflare tunnel in that case?

[–] [email protected] 1 points 11 months ago

Lol, I work at an attack surface scanning company. Every freaking company I talk to, with very few exceptions, has at least one of these. If not a whole infrastructure. Then they cry, "how did we get ransomware?"

[–] [email protected] 1 points 11 months ago

Psa for you guys that rdp over the net, turn that off, and use a VPN like wire guard or tail scale, or use something like apache guacamole.

[–] [email protected] 1 points 11 months ago

Don't try to be clever and change the port from 3389 to something else either

Scanners can fingerprint traffic and just blast the other ports instead

I (foolishly) did this a few years ago and luckily I had account lockout enabled

Constant attempts all day long - they were even able to enumerate local users and try to log in as them (fortunately they never could cause the passwords were random keepass ones)

Don't do it, seriously