Tag: security

  • Share files securely with Enclosed

    My accountant works for one of those giant firms, and it bugs me that I’m emailing him password protected zip files of my accounts rather than to a secure upload facility at his firm. I can fix this with the power of self hosting, by running my own secure file dropping app on a VPS.…

  • npm ERR! Exit handler never called!

    I quite like GitHub scanning all my code and sending me security advisories. Here’s today’s: With these, and my dependabot alerts, fixing them is usually just a matter of pulling down the project, running an npm update, building any artifacts, then pushing it back up. But today, not so: package-lock.json It’s probably worth revisiting what…

  • SSH login notification

    My VPS’s are usually locked down so just ports 80 & 443 (for web server) and 22 (for ssh) are open. That’s great for reducing the attack surface, but having ssh open is a potentially disastrous vulnerability. For this reason I often close that at the cloud firewall level as well, but it has to…

  • Due Diligence on a Docker Image

    I need a survey tool, and a quick search turned up LimeSurvey, there’s a ‘community edition’ so naturally I plan to self-host it. I scrolled down to the ‘installation’ section of the manual which has a big list of PHP dependencies. Ain’t nobody got the time for that in 2024, I scroll further looking for…

  • Quick & Dirty auth with nginx & Node

    One of the basic requirements for any serious web app is a proper users/roles/authentication system – but if you’re just throwing up a utility of some kind on a public IP for testing, and you don’t want it to be abused, then this could be an option. There’s a few components: I briefly discussed web…

  • Beginning Node App Security

    Since I’m using Tailscale to painlessly manage all my networking on the homeserver here and my remotes, I’ve had the luxury of being a bit casual about the security of my internal apps and self hosted dev tools. I’m currently iterating on a web app that requires public access, and is therefore up on a…

  • User Sessions & Cookies in Node

    When you are learning app development, you can create all sorts of apps that work for you, but for any serious app, it’s going to need to authenticate users and persist sessions across visits. So much so, that as a professional developer, you’ll probably build that out first – it becomes a sort of boiler…

  • Disable SSH root logins

    This always makes me laugh: It’s like half the traffic on the internet is bots trying random passwords on root accounts over ssh. This is on an Ubuntu VPS on BinaryLane that had only been spun up five minutes or so. Looks like about one attempt every 10 seconds. This is why the number three…

  • Ansible with Secrets

    We wrote a nice little Ansible playbook the other day to install nginx on our web servers and ensure it was running. We were able to store the usernames in the hosts inventory file using the ansible_ssh_user variable. Then, we ran the playbook with the command: ansible-playbook web_installs.yaml –ask-become-pass This asked us the password to…

  • ssh key login on VPS

    Due to potential brute force attacks, it’s a good idea to turn off password access via shh and instead rely on ssh keys. In this post, I’ll run through that process. Generating your key On a mac (or actually most *ix systems), your ssh keys live in the .ssh directory inside the users home directory.…