• 1 Post
  • 82 Comments
Joined 2 years ago
cake
Cake day: April 30th, 2024

help-circle







  • I have many services that doesn’t “need” to be public, as public facing for one specific reason. TLS.

    A lot of the times android apps won’t connect to http directions, not even local ones, and require a proper https connection with a well known CA.

    For that I put the services behind a caddy reverse proxy to get a valid tls certificate.

    And them I do the trick, and basically on caddy reject any connection that’s not local. Thus, making the supposedly “public” site a practical “local” one.

    Once there I just connect through wireguard.






  • I’m in the process of building a monitoring system with grafana stack.

    Right now I have monitoring panels for some common metrics and logs. I am yet to set up alerts.

    The idea being that if something goes wrong some metric will grow up unexpectedly, for instance network traffic. And I would get a notification.

    What I’m still considering is what would I consider abnormal behavior, so I could set up the thresholds.


  • What do you want to expose, something static or dynamic?

    It would be a service you wrote or some stablish project?

    I would recommend running whichever service you want to expose through a reverse proxy, traefik or caddy. That way you have some sort of “chocking point” where you can control what’s going and it’s already handling some security for you.

    The service should be kept updated.

    Then you need a ips (intrusion prevention system). Most famous are fail2ban or crowdsec. You feed the ips the service logs and the reverse proxy logs, and ban ips that try to do something strange. I use crowdsec with a bunch of scenarios and their block lists.

    At the end you should only have a couple of ports open to the internet. Usually 80 and 443, and whichever port you use for the vpn, i recommend wireguard. So people should only connect to you via 80 or 443 and those ports should be binded to the reverse proxy. Everything else should never be able to enter your network.

    If you have all that and keep everything updated the attack surface becomes really small. You’ll get spam bots trying to probe for vulnerabilities but if you keep everything updated they won’t find anything.

    Depending on how many people you want to access your service you could also do some aggressive geoblocking, to reduce the number of bot attacks.

    The biggest risk here would be a vulnerability on the reverse proxy or the service you use. Keep an eye out for cve and update things regularly. If a vulnerability allows for remote code execution, then mitigation becomes almost impossible besides a good backup plan. If your vpn fails on you you are also fucked. But wireguard is pretty well secured. Bot scans shouldn’t even be able to know you have wg because pings and connections attempts fail silently without proper authentication.




  • I think the issue is that many sites are too aggressive with it. Anubis can be configured to only ask for challenges if the site is under unusual load, for instance when a botnet it’s actually ddosing the site. That’s when it shines.

    Making it constantly ask for challenges when the service is not under attack is just a massive waste of energy. And many sites just enable it constantly because they can defer bot pings from their logs that way. That’s for instance what op is doing. It’s just a big misunderstanding of the tool.


  • I don’t know if “anything”. But surely people overestimate its capabilities.

    It’s only a PoW challenge. Any bot can execute a PoW challenge. For a smal to medium number of bots the energy difference it’s negligible.

    Anubis it’s useful when millions of bots would want to attack a site. Then the energy difference of the PoW (specially because Anubis increase the challenge if there’s a big number of petitions) can be enough to make the attacker desist, or maybe it’s not enough, but at least then it’s doing something.

    I see more useful against DDOS than AI scrapping. And only if the service being DDOS is more heavy than Anubis itself, if not you can get DDOS via anubis petitions. For AI scrapping I don’t see the point, you don’t need millions of bots to scrape a site unless you are talking about a massively big site.


  • You are right. For most self-hosting usecases anubis is not only irrelevant, but it actually works against you. False sense of security and making your devices do extra work for nothing.

    Anubis is though for public facing services that may get ddos or AI scrapped by some not targeted bot (for a target bot it’s trivial to get over Anubis in order to scrap).

    And it’s never a substitute of crowdsec or fail2ban. Getting an Anubis token it’s just a matter of executing the PoW challenge. You still need a way to detect and ban malicious attacks.


  • I don’t think you have a usecase for Anubis.

    Anubis is mainly aimed against bad AI scrappers and some ddos mitigation if you have a heavy service.

    You are getting hit exactly the same, anubis doesn’t put up a block list or anything. It just put itself in front of the service. The load on your server and the risk you take it’s very similar anubis or not anubis here. Most bots are not AI scrappers they are just proving. So the hit on your server is the same.

    What you want is to properly set up fail2ban or, even better, crowdsec. That would actually block and ban bots that try to prove your server.

    If you are just self-hosting with Anubis the only thing you are doing is deriving the log noise towards Anubis logs and making your devices do a PoW every once in a while when you want to use your services.

    Being honest I don’t know what you are self hosting. But at least it’s something that’s going to get ddos or AI scrapped, there’s not much point with Anubis.

    Also Anubis is not a substitute for fail2ban or crowdsec. You need something to detect and ban brute force attacks. If not the attacker would only need to execute the anubis challenge get the token for the week and then they are free to attack your services as they like.