That is basically the essence of this post too! Except crowdsec is used to do what fail2ban does + some light form of WAF (without spinning another machine - which is not strictly needed for a WAF, you can use owasp modsecurity-ready proxies).
loudwhisper
joined 10 months ago
Thanks! I did mention this briefly, although I belong to the school that "since I am anyway banning IPs that fail authentication a few times, it's not worth changing the port". I think that it's a valid thing especially if you ingest logs somewhere, but if you do don't choose 2222! I have added a link to shodan in the post, which shows that almost everybody who changes port, changes to 2222!
Yes, pretty much that. Plus some configuration might be easier with a DNS hosting. But the main benefit is decoupling domain and DNS for easier change.
Been there...
I thought my API keys were expired, I regenerated them, changed a couple of things, checked all API calls to see if they changed API itself...then I searched the exact error and found out.
For such a breaking change to the API, was it hard to drop an email to every account not meeting the damn "requirements" with an API call performed in the last x months, to alert of the change?
Yep, I like bunny in fact. It didn't have all the features I needed back then, but it's a very good product, I heard very good things.
I also agree about the pricing. I ended up not using desec.io, but if I did, I would have probably set a 1-2 Euros recurring donation, as I feel that's a totally acceptable price.
As for why people use GoDaddy well... I feel personally attacked as that's exactly how I ended up there, when I didn't know better.
I also use porkbun, their API is not a masterpiece but it works and allows you to get, set and update records. In fact their API is now supported by some of the common ddns scripts out there.
I think I used it in the past. Is the one where every X months you need to go the the console and confirm the domain is still used, right?
I think nowadays there are better options (incl. Free) with less maintenance and more flexibility
That's a very interesting gotcha. They don't seem to support address ranges either. Unless once you add the whitelist the requests still work from any address (their documentation is ambiguous). This is even more confusing.
Desec.io is a good option. To be honest using cloudflare just for DNS is completely OK. It's not a service that allows spying on you or consolidates their monopoly.
I also migrated everything to Porkbun. Gandi used to be good too, we used it extensively at work in my previous org (~3 years ago).
Is the whole sector regressing? It seems these companies aren't happy just earning a profit based on the service they offer. There is always something "more" that they need to do. Often this makes the experience worse. Meh.
Super happy with Porkbun BTW, it just works, does what it's needed and I found the renewals to be 50% cheaper compared to GoDaddy...
I found it on their FAQ.
Yes, it is generally less restrictive, but... I have 4 domains, and now I have renewed all of them for the maximum amount. They will all expire after 2033. So unless I decide to add more domains (which is unlikely), I won't spend a cent in the next ~9 years. I wonder if they really enforce it as it is written or they consider still the renewal an expense "split" over the duration.
Still, I really don't understand. You can - and should - have proper rate limits on the API. You have API keys that uniquely identify the source, what is "the abuse" they are trying to prevent this way...?
Yep I agree. Especially looking at all the usernames that are tried. I do the same and the only risk come from SSH vulnerabilities. Since nobody would burn a 0-day for SSH (priceless) on my server, unattended upgrades solve this problem too for the most part.