• 1 Post
  • 5 Comments
Joined 2Y ago
cake
Cake day: Jun 19, 2023

help-circle
rss

I have MFA enabled on that account have had it there for years. :) (2FA + Webauth) Password already updated too. :) That email I know has been all over the dark web based on my monitoring alerts and know it’s been used. All of my important user accounts with that email were changed to a new one 6 or so months ago. I just forgot about this one and like I said, never really used it anyway. :)


Lack of Security with Oracle Cloud
Let me preface this with this was a dormant account with no instances set up, and I put it into place maybe 4 or 5 years ago while getting into the Self Hosted space. I don't recall if I had MFA setup, but don't think I did as it was a test space. In fact, I forgot I even had it up until now. So this weekend, we were out of town and I get this alert from Oracle Cloud saying that my account was locked with a password reset link/ This was set to an email I've had since 2004 and has been sold many many times on the dark web as evidenced by the amount of SPAM I get on it and as my monitoring services confirm. I figured it was a weak ploy at a fishing to get my credentials so I ignored it. Then about 3 or 4 or so minutes later, the account was unlocked with another email to confirm this. (Without my touching anything) So, last night when I returned home, I went to Oracle ignoring the email links and used my browse's address bar. To no surprise of my own, I can't log in or reset my credentials. Somehow, the attackers were able to exploit their platform to intercept the password reset and change everything to their credentials. It's no real loss on my end honestly, Oracle had an old canceled debit card number for re-occurring billing if I should have ever used their services anyway. It just bugs me that they allowed it to happen so easily. Having the lack of MFA, I'm sure didn't help the matter, but honestly, what gets me the most - their password reset email and the one saying it was unlocked with no links or contact information to correct the situation if this was incorrect. Further proof on my end that oracle doesn't care about anything other than the money grab. ***tl:dr*** My lack of MFA enabled hackers to attack my formerly dormant and forgotten Oracle account, and locked me out and Oracle doesn't seem to mind.
fedilink

$10/year gets you what you need from Purelymail. https://purelymail.com I have used them for the last year or so and the service is fast and near real time with messages hitting my inbox (I use Thunderbird to download my mail).


I use this:

Timekpr-NExT (It’s stylized as this way) Here’s a decent write up of it:

https://itsfoss.com/timekpr-next/

And the source I think: https://mjasnik.gitlab.io/timekpr-next/

Here’s our household need for it and I think most people will not like it, but it’s what works for us. I have a special needs adult step daughter which has a TBI from a major traumatic auto accident at the age of 2. For most people who see her, she passes as high functioning but that is on the outside. As a result of the accident and brain injury at age 2, In real life, she has problems with the concept of time and time management. She also lacks the executive functioning that most adults have such as the correct decisions in life to make, just to name a few. Having this on her system (Arch Linux) allows us to at least limit the screen time which is what we were wanting. As for filtering NSFW stuff. She’s extremely turned off by the thought of people being intimate so, we are pretty comfortable with unfiltered internet. (I also run a DNS server in which if needed can filter traffic).

Another person mentioned using SELinux - this reminded me of using OpenSuSE - that distro is very tuned toward adminstrative access for even basic things such as modifying the network (Well…at least basic for me LOL ) . I think of it is as an ideal OS for small organizations with a single IT person on staff.


What I do is this - and some may frown upon it because well…Cloudflare! But I use Cloudflare’s tunnels to access my remote instances for my password manager, Home Assistant and a SSH shell. All of which are behind passwords and 2FA. I then have only one port open on my router, that’s for my wireguard instance. I access it using my ddns and can be on my home network from anywhere.

I’d move away from the tunnels and push everything through WG, but my family is not as savvy as I am and don’t always activate the tunnel when away from home. I am putting a plan for that this weekend though. :)


Primary benefit of using a VPS:

Placing mission critical items there which you can not afford to have go down due to hardware failure Some of those items may be a DNS Server, uptime monitor, or VPN/Wireguard Tunnel.

They are usually quite fast, and will provide a STATIC IP which makes it easier to set your domain’s DNS resolver to, it never changes as long as you keep paying. :)

**Disadvantage of VPS: **

Who says they don’t log into your VPS Instance and snoop around? I’m sure about 99.99% of VPS hosts will never do that and are ethical, and honestly, won’t really care to. At a moment’s notice, the VPS can close shop and take your data with them. (I had that once a few years ago). No warning was given and they went dark. Very aggravating. Fortunately, I had a fairly recent backup but still.

If you do go with a VPS, a place which supports KVM is a huge bonus! You can then install just about any host OS you want. Pivo is a good place for this and they are reasonably priced. They’ve been around since 1997 and I doubt they will go anywhere. Or you can spin up an instance at Linode and take advantage of some of the free trials they have (Jupiter broadcasting a podcast production company has something like $100 credit for them, so you can get your ‘feet wet’ testing things out.

My advice, if you go with a VPS, avoid eBay for hosting plans, and read reviews of the sites you are considering. Trust pilot and others are often great resources.

**Benefits of your own hardware: ** You have everything on your server, you know where everything is and can have the peace of mind knowing it’s there and not looked at by anyone but you or those you trust.

Disadvantages of your own hardware

If anything fails, you are responsible for repairing/replacing it, this can also mean some massive downtime depending on how long it takes.

Your hardware is limited by the resources you provide it, Memory, Disk Space etc. Your ISP may throttle your data and cap the usage as well.