2·
7 hours agoDocker restricts the permissions of software running in the container. It is hardened by default and you need to manually grant permissions in some rare cases.
Possibly linux
I know nothing!
- 133 Posts
- 7.09K Comments
Joined 2 years ago
Cake day: June 26th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Always good advise
However, OpenSSH is pretty solid security wise. https://www.openssh.com/security.html
Note: it is best to check the official security pages instead of random websites.
5·17 hours agoHow is this a meme?
This isn’t a meme
Yes and no
Breaking out of docker in a real life context would require either a massive misconfiguration or a major security vulnerability. Chances are you aren’t going to have much in the way of lateral movement but it is always good to have defense in depth.
This is security theater
Flaws in SSH do happen but they are very rare. The solution to this is defense in depth which is different than security by obscurity.
To expand on this a bit:
A lot of attacks are automated since the goal is to compromise as many hosts as possible. These hosts are then used in a botnet or sold to people on shader websites to use as proxies.
IP whitelists are not terribly secure and are quite a hassle.
Instead use a overlay VPN or some sort of extra security layer like mTLS or Authelia
With SSH it is easier to do key authentication. Certificate authentication is supported but it is a little more hassle. Don’t use password authentication as it is deprecated and not secure.
The key with SSH (openssh specifically) is that it is heavily audited so it is unlikely to have any issues. The problem is when you start exposing self hosted services with lots of attack surface. You need to be very careful when exposing services as web services are very hard to secure and can be the source of a compromise that you may or may not be aware of.
It is much safer to use a overlay VPN or some other frontend for authentication like mTLS or an authenticated reverse proxy.
Two nodes doesn’t provide quorum
Ok grandpa let’s get you to bed
It is done that way for better reliability. It is optional and not even needed with Silverblue.
2·2 days agoThat sounds like a security nightmare…
The company is probably to cheap to actually do security correctly. (Until they are ransomwared or need to get cyber insurance)
Sometimes it is done for compliance. It is all about the CYA (cover your ass)
Autoupdate is fine for personal stuff. Just set a specific date so that you know if something breaks. Rollbacks are easy and very rarely needed.
Kubernetes is the Arch of Containers except way more confusing
Why wouldn’t you just use Docker compose? It has NFS support build in and there are Ansible playbooks for it
I personally moved to podman since it integrates with systemd but it is a bit harder.
Please don’t bypass work restrictions
You can run lots of kde apps on Windows and Mac OS. I personally use Kate at work since it is far faster than VScode
There even is a konsole port in the works
You forgot shriek