Categories
docker hosting linux network rails Security Technology Uncategorized

Self-hosting with Kamal: Watch your ports when shipping.

I’ve been playing around with Kamal from Basecamp (previously called MRSK) for deploying simple apps on a single server.

There’s a lot to like about Kamal’s ergonomics and principles. But there were a few things that I struggled with or that confused me.

It mostly boils down to Kamal offering some kind of a layer of abstraction over docker, SSH and some linux commands. But perhaps more importantly, DHH, the creator of Kamal quite explicitly says that:

“[It] is designed for multi-server operation”.

DHH

Why is this distinction important?

Because it implicitly avoids some of the nice (and more secure) features of docker on a single host, primarily: internal network connections and name resolution.

[It] is designed for multi-server operation, so the internal network idea breaks down pretty quick with that. You’d have to unstrip all of that when you go to scale it. So I think we’re better off keeping the network host transparent.

DHH

This is a completely fair design choice, and simplifies a lot of complexity for Kamal. However, when you’re running your new startup or a hobby project, you want to keep things simple and run it all on one host.

But you don’t want to compromise on security and unintentionally expose your Database or Redis to the outside world, right?

Categories
marketing privacy Technology Uncategorized

Who’s sharing my data? … and who the hell is Dave M. Rogenmoser?

I’m no longer active on Facebook, but at the moment, oddly, it’s my main goto option to find out at least some of the companies that share my data.

Facebook lets you see who shared your data with them. There are two interesting pages, buried and well-hidden, worth checking: Off Facebook activity and Businesses who uploaded and used a list.

Want to see which companies are sharing your data? continue reading.

Categories
Uncategorized

take your pick

The book piqued my curiosity, so I picked it up and took a peek at the first page. It was written by a artist at the peak of her career.

As a non-native speaker, I guess when I pronounce any of those words: pick, peek, peak, or pique, they all sound the same. So it’s even harder for me to clearly memorise. I mostly get it right, but can occasionally confuse some forms.

Especially peek and peak.

It doesn’t happen with meet and meat, feet and feat, leek and leak though. I wonder why.

Categories
rails ruby Security Uncategorized

invisible reCAPTCHA v3 with Rails and Devise

We’re recently being hit with more and more bots.

Some of them are crawling our site and hitting valid or invalid endpoints. We’ve seen plenty of credential stuffing attacks as well. Most of them distributed across different IPs, with each IP hitting us at low frequency.

And most recently, someone abused our registration form to spam their recipients via our system.

It was quite clever actually. When you register, you enter your name, email and password. We then send a confirmation email saying something like

“Hey Roberta, thanks for joining. Please click here to confirm your account”.

Now those guys used their victim’s email address, and used the name field to link to a URL. So those users would get an email

“Hey lottery tickets http://some.link, thanks for joining. Please click here to confirm your account”.

Slimey. Naturally our own email system took the hit of sending spam. Double ouch.

Luckily, we had some anomaly detection in place, and we blocked those guys quickly. They used some browser automation from a fixed set of IPs, so it was easy to block. At least until the next wave…

I’ve been dealing with those types of scenarios with fail2ban, and it’s really quite effective. We define regular expressions to inspect our log files matching certain patterns, and then ban if we see repeated offensive behaviour. fail2ban is limited though in some aspects.

First of all, those rules are a bit of a pain to create and maintain, and you need to make sure the offending IP appears on the application log record you want to capture. In some cases it’s easy, but not always. The bigger problem however is that fail2ban doesn’t scale. The more servers you have — let’s say in a load-balanced setup — the less accurate fail2ban becomes. Or you need to aggregate all your logs on a single fail2ban host, creating a single point of failure or a bottleneck…

So I was searching for a better solution. Sadly there aren’t many. Cloudflare, which we also use, offers some degree of protection. But it’s not as flexible. And of course there’s reCAPTCHA. You know, those annoying things asking you to pick traffic signs, or even just click “I’m not a robot”?

Now I was initially hesitating to use it. I’m not sure why, but the fact that it doesn’t really have any real competition bothers me. Plus, as a user, I’m frequently annoyed by those challenges, and I hate this experience.

Luckily, the latest version of reCAPTCHA (v3) doesn’t present any user-facing challenges. It’s completely invisible. The no-competition problem is not something I can solve. I discovered that even Cloudflare itself uses reCAPTCHA in some cases! And these guys have their own Javascript challenge and what not… So I decided to bite the bullet, and give it a shot.

Setting it up is surprisingly simple, and from my limited experience, quite effective. That is, the scores it produced were surprisingly accurate. Albeit my ability to test different scenarios was limited.

I’ll try to give some pointers for implementing reCAPTCHA v3 with Rails 5.1 and Devise 4. The implementation can work on any form or controller however, and not just with Devise.

Categories
Uncategorized

Introducing envwarden – manage your server secrets with Bitwarden

TL;DR

envwarden is a simple, open-source script that lets you easily manage your server secrets with the Bitwarden password manager.

Categories
Uncategorized

Software? eugh!

I’ve had a strange conversation with my wife this morning.

She told me that google reader is closing down.

She’s using it much more than I do. So I said to her something like “I’m sure you can install some other RSS reader software to replace Google”.

Her response was a bit of a surprise for me: “Software?! eugh!”.

Then I said “Ok then, or an app”, and she seemed rather pleased.

How did software become such a dirty word?!