Compare commits
3 commits
7ec3d37186
...
5ddaa5e385
| Author | SHA1 | Date | |
|---|---|---|---|
 Akemi Izuko
|
5ddaa5e385
|
||
|
Akemi Izuko
|
f679eaf2d1
|
||
|
Akemi Izuko
|
aa9c63256d
|
|
|
@ -189,3 +189,5 @@ how much impact they have in a retrospective:
|
|||
- **2024-03-27**: DataBricks open sources DBRX, a 132B parameter MoE with 36B
|
||||
parameters active per forward pass. It was trained on 12T tokens. According
|
||||
to user evaluation, it beats Mixtral for all uses.
|
||||
- **2024-04-18**: Meta releases LLaMA3 8b and 70b. 70b is the new best open
|
||||
model, right around Claude3 Sonnet and above older gpt4 versions!
|
||||
|
|
|
|||
|
|
@ -24,25 +24,25 @@ easily get *inward* access to any port.
|
|||
|
||||
The easiest method, and probably recommended for most users, is using Software
|
||||
Driven WAN (SDWAN). This is similar to a VPN, but unlike Wireguard, ZeroTier One
|
||||
doesn't [[1]] require a centralized server.
|
||||
doesn't<sup>1</sup> require a centralized server.
|
||||
|
||||
Advantages:
|
||||
- Free version is good enough for most small groups
|
||||
- Very simple setup
|
||||
- Very fast through UDP hole-punching
|
||||
- Very low latency through UDP hole-punching
|
||||
- Free (for up to 25 clients)
|
||||
|
||||
Drawbacks:
|
||||
- Limit of 25 clients (on the [free
|
||||
version](https://www.zerotier.com/pricing/))
|
||||
- Requires installing separate software on all clients
|
||||
- Sometimes fails to connect for up to an hour... very hard to debug when it
|
||||
happens
|
||||
- Can only be used by clients on the VPN. For example, a public webserver won't
|
||||
be able to use this
|
||||
- Limit of 25 clients (on the [free
|
||||
version](https://www.zerotier.com/pricing/))
|
||||
|
||||
To use ZeroTier:
|
||||
1. Sign up for an account at [zerotier.com](https://www.zerotier.com/)
|
||||
2. Under "Networks" create a network and give it a name. Ensure access control
|
||||
2. Under "Networks" create a network and give it a name. Ensure Access Control
|
||||
is private.
|
||||
3. Install ZeroTier One on all clients you'd like to connect. You can add more
|
||||
later.
|
||||
|
|
@ -168,3 +168,171 @@ ssh -p 8022 emiliko@172.27.10.10
|
|||
```
|
||||
|
||||
This will be forwarded to port 22 on the server!
|
||||
|
||||
## Reverse Proxy without a Static IP
|
||||
|
||||
If you're planning to use a home computer, you'll quickly find that most
|
||||
internet service providers do not offer static IPs for consumer plans. Luckily,
|
||||
there's a very simple way around this: Domain Name Servers (DNS).
|
||||
|
||||
You will need a domain to achieve this. Domains should not cost more than
|
||||
$20/year. Here I'll use the domain `example.com` as an example.
|
||||
|
||||
The idea is that a domain will point to a specific IP, but this IP is determined
|
||||
through a lookup to the DNS. This means that if we change the IP the DNS has
|
||||
every time our computer's IP changes, we'll appear to have a static IP!
|
||||
|
||||
First, put your nameservers on a good DNS provider. I use
|
||||
[Cloudflare](https://pages.cloudflare.com/), it's free and fast. You'll need to
|
||||
find the DNS page. The URL will look something like:
|
||||
|
||||
```
|
||||
https://dash.cloudflare.com/<long-project-id>/example.com/dns/records
|
||||
```
|
||||
|
||||
There, you'll want to add an "A Record". The name will be the subdomain. So if
|
||||
my computer is called `mycomputer` and that's in the name field, it'll be
|
||||
accessible at `mycomputer.example.com`.
|
||||
|
||||
Now you need to identify your IP address. This is your PUBLIC IP address, not
|
||||
your LOCAL IP address. One easy way to do this is `curl -q
|
||||
https://ifconfig.me/ip`.
|
||||
|
||||
Make sure "Proxy Status" is OFF. Proxying the connection appears to make this
|
||||
whole idea break down very quickly, so don't.
|
||||
|
||||
With that "A Record" set, try `host mycomputer.example.com` to see when the DNS
|
||||
updates. This can take up to 4 hour, but usually takes under a minute in
|
||||
practice. With this, you should be able to access your computer using the
|
||||
domain! Of course, make sure your router's ports are forwarding to your
|
||||
computer.
|
||||
|
||||
We now need to make your computer update Cloudflare's DNS, whenever the IP
|
||||
changes. I use the script below to do this. Fill in the `HOST`, `DOMAIN`,
|
||||
`TOKEN`, `ZONE_ID`. The `TOKEN` is your Cloudflare application token:
|
||||
|
||||
```bash
|
||||
#!/usr/bin/env bash
|
||||
declare wan_ip_record wan_ip cf_records host_record cf_host_ip cf_rec_id
|
||||
|
||||
declare -r HOST='mycomputer'
|
||||
declare -r DOMAIN='example.com'
|
||||
declare -r TOKEN='...'
|
||||
declare -r ZONE_ID='...'
|
||||
|
||||
#╔─────────────────────────────────────────────────────────────────────────────╗
|
||||
#│ Gετ WΛN IP |
|
||||
#╚─────────────────────────────────────────────────────────────────────────────╝
|
||||
if ! wan_ip_record="$(curl ifconfig.me)"; then
|
||||
echo "Hosts timed out" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
wan_ip="$wan_ip_record"
|
||||
#wan_ip="$(echo "$wan_ip_record" | tail -n1 | awk '{ split($0, a, " "); print a[4] }')"
|
||||
|
||||
#╔─────────────────────────────────────────────────────────────────────────────╗
|
||||
#│ Gετ Λ rεcδrd δη Clδμdflαrε |
|
||||
#╚─────────────────────────────────────────────────────────────────────────────╝
|
||||
if ! cf_records="$(curl -s --request GET \
|
||||
--url https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records \
|
||||
--header 'Content-Type: application/json' \
|
||||
--header "Authorization: Bearer $TOKEN")"
|
||||
then
|
||||
echo "Failed to retrive cloudflare zone records" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for i in {0..4000}; do # Assuming 4000 is enough
|
||||
record="$(echo "$cf_records" | jq --raw-output ".result[${i}].name")"
|
||||
|
||||
if [[ "$record" == "${HOST}.${DOMAIN}" ]]; then
|
||||
host_record="$(echo "$cf_records" | jq -r ".result[${i}]")"
|
||||
break
|
||||
elif [[ "$record" == null ]]; then
|
||||
echo "No record found for ${HOST}.${DOMAIN}" >&2
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
#╔─────────────────────────────────────────────────────────────────────────────╗
|
||||
#│ Sετ Λ rεcδrd τδ cμrrεητ WΛN |
|
||||
#╚─────────────────────────────────────────────────────────────────────────────╝
|
||||
cf_host_ip="$(echo "$host_record" | jq -r '.content')"
|
||||
cf_rec_id="$(echo "$host_record" | jq -r '.id')"
|
||||
|
||||
if [[ -z "$cf_host_ip" || "$cf_host_ip" == null ]]; then
|
||||
echo "Failed to find content of A record for ${HOST}.${DOMAIN}" >&2
|
||||
exit 1
|
||||
elif [[ -z "$cf_rec_id" || "$cf_rec_id" == null ]]; then
|
||||
echo "Failed to find A record ID for ${HOST}.${DOMAIN}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ "$cf_host_ip" == "$wan_ip" ]]; then
|
||||
echo "Cloudflare is up to date @ $(date)" >&2
|
||||
else
|
||||
echo "Updating Cloudflare's A record from $cf_host_ip to $wan_ip" >&2
|
||||
|
||||
patch_response="$(curl -s --request PATCH \
|
||||
--url "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${cf_rec_id}" \
|
||||
--header 'Content-Type: application/json' \
|
||||
--header "Authorization: Bearer $TOKEN" \
|
||||
--data '{
|
||||
"comment": "'"${HOST} @ $(date)"'",
|
||||
"content": "'"$wan_ip"'",
|
||||
"name": "'"${HOST}.${DOMAIN}"'",
|
||||
"proxied": false,
|
||||
"ttl": 1
|
||||
}')"
|
||||
|
||||
if [[ "$(echo "$patch_response" | jq -r '.success')" == true ]]; then
|
||||
echo "Update to $wan_ip succeeded @ $(date)" >&2
|
||||
else
|
||||
echo "Failed to update A record. DUMP:"
|
||||
echo "$patch_response"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
```
|
||||
|
||||
Now we need a systemd-timer to run this script. I run it once every 15 minutes.
|
||||
Please refer to the [systemd-timers]() blog for more information, but breifly I
|
||||
use:
|
||||
|
||||
```ini
|
||||
[Unit]
|
||||
Wants=update_a_record.timer
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/local/bin/set_a_records.sh
|
||||
```
|
||||
|
||||
Timer:
|
||||
|
||||
```ini
|
||||
[Unit]
|
||||
Requires=update_a_record.service
|
||||
|
||||
[Timer]
|
||||
Unit=update_a_record.service
|
||||
OnCalendar=*-*-* *:00,15,30,45:00
|
||||
RandomizedDelaySec=15min
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
```
|
||||
|
||||
Then start it with `systemctl enable update_a_record.service`. The name of the
|
||||
service will be different based on what you called the files.
|
||||
|
||||
Now to use this for reverse-proxy purposes, go back to your `client.toml` config
|
||||
and update the `remote_addr`:
|
||||
|
||||
```toml
|
||||
[client]
|
||||
remote_addr = "mycomputer.example.com:9001"
|
||||
```
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ updateDate: 'March 28 2024'
|
|||
|
||||
Passwords are often the main method of digital identification. This means
|
||||
anything you don't want others to access but do want yourself to access is
|
||||
behind some sort of password. This means we need to optimize on two fronts:
|
||||
behind some sort of password. We need to optimize on two fronts:
|
||||
|
||||
- Easy of access: Passwords must be quick and easy to access and use
|
||||
- High security: Passwords must be strong to resist attacks
|
||||
|
|
@ -20,8 +20,8 @@ the way we'll learn a lot about password security in general!
|
|||
|
||||
## Optimizing for high-security
|
||||
|
||||
A password is pretty pointless if it's not strong enough to be cracked. Let's
|
||||
look over some core security concepts!
|
||||
A password is pretty pointless if it's not strong enough to not get cracked.
|
||||
Let's look over some core security concepts!
|
||||
|
||||
### Measuring Bits of Entropy
|
||||
|
||||
|
|
@ -148,7 +148,7 @@ result of the output space being lower dimensional than any password with higher
|
|||
entropy, so any "stronger" password would be projected down to only 256 bits of
|
||||
entropy.
|
||||
|
||||
We can also look at how fast computers can brute-force passwords.
|
||||
We can also look at how quickly computers can brute-force passwords.
|
||||
[Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is one of the most popular
|
||||
hashing choices for passwords. Assuming a company is decently secure, they use
|
||||
enough rounds of hashing such that a modern processor takes about 100ms to hash
|
||||
|
|
@ -348,11 +348,10 @@ example, if a phone camera records you typing on your keyboard to decrypt the
|
|||
GPG key, the attacker can't do *anything* with that password alone. They still
|
||||
need physical access to your system to grab the files themselves.
|
||||
|
||||
An odd benefit of 3-factor authentication is distributing backups. If you
|
||||
provide people who know you, but mutually don't know one another, you can safely
|
||||
entrust your passwords with third parties. This is since they need all 3 pieces
|
||||
to mount an attack, so giving a trusted third party only 1 piece doesn't
|
||||
compromise your security.
|
||||
An odd benefit of 3-factor authentication is distributing backups. You can
|
||||
distribute the 3 pieces between 3 third parties you trust. So long as they don't
|
||||
know each other, having 1/3 pieces doesn't compromise your security, especially
|
||||
if you trust them.
|
||||
|
||||
Malware *could* be both a key logger and grab the files from
|
||||
`~/.password-store`, but that is some very sophisticated and targeted
|
||||
|
|
|
|||
Loading…
Reference in a new issue