What are Reddit's favorite Firewall Apps?

Are you not using Cloudflare? If not, do that. It's free and will solve your problem. They serve everything for you and cache it.

https://www.cloudflare.com

Edit: I would also recommend changing your origin IP once you get on cloudflare and keeping it a secret. Only share it with Cloudflare and don't make an obvious DNS record for it like origin.saudiarabiaisisis.com. Your site seems a likely target for a DDOS. If you do it right you are pretty much bulletproof, but 99% of people ignore this advice and do it wrong so their site goes down indefinitely and they throw their hands up (see: private torrent trackers)

Edit2: He appears to be setting up Cloudflare!

It would really be inconvenient if Jones was dropped by his website provider Cloudflare.

https://www.cloudflare.com/abuse/

You could file a complaint against "violent threats and harassment" on Cloudflare IP servers like, say...

MERLIN.NS.CLOUDFLARE.COM

and

ROBIN.NS.CLOUDFLARE.COM

It would be a shame if his site suddenly became inactive and he had no other outlet...

No, you don't need to go that far. Submit a complaint at https://www.cloudflare.com/abuse/form -- and since they have communicated with you via email asking for detailed personal information, I would begin by filing the complaint as phishing.

God damn, they're such fuck ups they can't even setup SSL right :/

SSL isn't hard.

There's even a god damn web server that'll handle it for you.
CloudFlare is a free speech won't ban anything bastion.

Being Nazis is one level of stupid. This is an extra level of stupid.

It means MangaDex was getting too much traffic that Cloudflare finally went "Yeah, you're not a small site anymore and you'll need to start paying for us". Hopefully, going off Cloudflare's plans, they only need to use the $20/month tier?

You can install fail2ban, which is a daemon that parses your logs and blocks all ip's that are trying to bruteforce you. (http://www.fail2ban.org/wiki/index.php/Main_Page) Alternatively, if you want a more simple and immediate solution, and it's currently only one ip, you can block it with iptables:

iptables -I INPUT -s 219.137.228.180 -j DROP

Which will drop all traffic from that ip.

It'd be a "cease and desist" letter, hopefully.

You may be able to go after their hosting company and report copyright infringement. It is unlikely that they are actually hosting the site out of Bangladesh. This site may be able to determine who hosts them. (If it says Cloudflare, don't worry, Cloudflare accepts abuse reports here - have them forward to both the host and the owner.) Usually the hosting company will have some form of copyright abuse form - in the US, this is also called a DMCA complaint or takedown notice.

You may also be able to report them to PayPal or whatever payment processor they use, although this is a little more difficult.

Because huge sites can't be run from a basement in Romania? A CDN is just one part of the infrastructure necessary to support a large web presence.

The title makes it seem like this will work for everyone, which is hardly the case. This only works if you have a notebook with one of the WiFi adapters listed in that post: >- Intel Centrino 6205 Advanced-N - Intel Centrino 6235 Advanced-N - Intel Centrino 6300 Ultimate-N

Which is pretty unlikely (but by all means do lookup the specifications of your laptop to see if you've got one of these). If you don't have that WiFi adapter, your laptop is not affected by this issue and your ping spikes are being caused by something else. Things you can try:

• Use a wired connection instead. It's pretty much always better than Wi-Fi, only use wireless if you really have no other option.
• Download NetLimiter to check which applications are uploading/downloading and by how much. Very useful if an auto-updating application suddenly decides to gobble up all your bandwith while you're playing League, because you can instantly check which application is causing it. You can also use it to temporarily block or limit said application's network access.

> Cloudflare has been ISO 27701 certified as a PII Processor and PII Controller since 2021 and the certificate is available upon request.

and even more importantly

> Cloudflare maintains PCI DSS Level 1 compliance

https://www.cloudflare.com/privacy-and-compliance/certifications/

Technically, yes, but the traffic is completely encrypted, so congrats you have something that is entirely useless. The traffic is only useful to you at one end, and the thing you're connecting to on the other.

If you are affected by this you can fix this by using an alternative IP address for imgur. Imgur uses a service called cloudflare to host their websites. cloudflare have a lot of IPs for their service. (see here if you are interested: https://www.cloudflare.com/ips )

anyway, by adding these two lines to your hosts file you can redirect your traffic to a working IP:

198.41.128.1 i.imgur.com

198.41.128.1 imgur.com

Mac/Linux users hosts file is at /etc/hosts

Windows users your hosts file is at C:\Windows\System32\drivers\etc\hosts

(You will need to open notepad as an administrator to be able to save to this file) right click notepad -> open as administrator then use the open dialog to find the file and edit it.

Please remember to remove this once it is back up as you will not be taking advantage of cloudflares ability to load balance across the world by forcing imgur to just these IPs

It kinda depends on how often you're sending requests. But in a lot of cases, it can make a huge difference. Take this page I'm responding to you on for example. Opening up the Chrome inspector to the Network tab shows that the HTML for this page is 14.4 KB. At 128 Kbps, that'd take roughly a second to transfer. With a typical latency of 50ms with 4G, it hardly affects the total time. With a typical latency of 500-1000 ms on a 2G connection, you can easily double the time it takes to load a page. Now consider that this page has 23 separate resource requests (stylesheets, javascript, images, etc), and each of those potentially has an extra full second of latency added on, and it really stacks up. Granted, your browser will usually request a handful of resources in parallel, and some of them will end up being cached. But it's still very much a factor in page load time.

Also consider any kind of server-side interactivity - things like submitting a comment on reddit or search suggestions as you type in google. The typical comment is usually just a couple hundred bytes. The connection speed won't matter hardly at all. But 50ms (instantaneous) vs 1000ms (noticeable delay) in latency makes for quite a different feel. Search suggestions as you type feel much less helpful if you have to wait a second or two before they load.

If you want to experiment a bit, take a look at Net Limiter.

The DNS for those websites is also routed through Cloudflare which is a global content delivery network. They are pretty good at putting pressure on web providers who abuse their platform. I’ve reported a few legit Pishing and Malware sites in the past and they shut them down within hours.

I’m gonna submit a few Abuse forms on their site in the hope of finding other angles. - https://www.cloudflare.com/abuse/form

I have no idea why you are getting the down votes; I imagine it is from Cisco purist or someone that has never worked with the wonderful RouterOS and the hardware built around it. I do hope that others might take a look at this awesome networking equipment. Link to Router OS Info

*** Also - the equipment he is suggesting is also a Firewall.. ***

Don’t use Google DNS unless you’re comfortable with Google tracking all of your internet activity. Cloudflare’s DNS (1.1.1.1, 1.0.0.1) is a better option for privacy and performance. An audit by a 3rd party in 2020 supports their claims about privacy (full report here).

https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/

i think this can explain it better than most people on here (including me obv), but TLDR its basically a certificate that a website has that contains a bunch of info that tells whatever is on the receiving end of it that its legit

You're not allowed to use Cloudflare's "unlimited" bandwidth for serving video. See section 2.8 of their terms

> Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service.

The pricing of Cloudflare Stream, their video-serving service, is hard to compare, but it's probably not cheaper than BunnyCDN.

I run a few high traffic sites that get DDOS's regularly.

I've since ended up with the following winning combination.

Set up a NEW server with a new IP address. Then set up Nginx so it's serving your website through an IPv6 address not IPv4. Most Botnets aren't IPv6 capable. Cloudflare doesn't care and it'll proxy it for you. Then firewall off that IPv6 address so only cloudflare can access it using the list at https://www.cloudflare.com/ips

Then set up a Amazon S3 bucket for all your static assets (css, js, png's, jpg's, etc). Set up cloudflare so s3bucket-xtnodes.s3.amazon.com or whatever is CNAME aliased to static.xtnodes.com and then set a cloudflare rule so everything is heavily cached and it'll rarely, if ever, hit your S3 bucket. Then edit the HTML to point to your static asset host for all of that stuff.

For the dynamic PHP, consider making a quick Laravel PHP site and use an in-memory cache like Redis for all the dynamic stuff rather than a backend MySQL instance. MySQL uses disk too much, but Redis will help a lot.

If you skip the redis stuff, but want an infrastructure that can handle the DDOS, try nearlyfreespeech.net

If you want to roll your own DDOS protected VPS, check out this thread for some good hosts

http://www.lowendtalk.com/discussion/comment/1232674/#Comment_1232674

I'm about to go to the park with my kids for a few hours, but if you want help setting it all up just get a VPS and update it and I can help you out in a few hours. I also have a ton of Amazon credits to burn that I'm happy to throw at the cause and some unused VPS's for redundant backends.

You should be able to handle this with a VPS with 1 or 2 gigs of memory as long as you have that front-end and back-end infrastructure in place and the DDOS asshats don't know your real IP address.

https://www.cloudflare.com/learning/dns/what-is-dns/

Προς το παρόν μια απλή ρύθμιση DNS στις network settings του λειτουργικού αρκεί, δεν χρειάζεται καν να μπλέξουμε με τις ρυθμίσεις του router.

https://iguru.gr/2018/11/08/subs4free-down/

Καλά για την απόφαση μπλοκαρίσματος αυτή καθ'αυτή δεν έχω να πω πολλά, μόνο πως τόσο η ΕΔΠΠΙ όσο και οι επίσημοι διανομείς και κάτοχοι πνευματικών δικαιωμάτων είναι εκτός τόπου και χρόνου.

One thing to note about it:

It looks like CloudFlare may not be selling your userdata (or explicitly naming you as the one using it), but it does look like they are giving it away for free in the form of aggregate data.

Yea, I got one of these and ended up fixing it for good.

My son gave his friend our WAP password for his phone and then the little punk friend decided to go on a downloading spree. How does one give out give out the WAP password and still remain safe?

Let me tell you.

I set up a PFsense router. with an openVPN connection to the Netherlands.

All my machines have a static IP address. Anything requesting a DHCP address gets sent through the VPN and comes out the Netherlands. I'll never see another Rightscorp notice again.

edit: If you set one of these up, make sure to have the DHCP clients use openDNS or Google and NOT your DNS server on the router or provider. Also create a rule blocking all traffic from the DHCP clients to the WAN, to ensure the WAN traffic gets blocked in case the VPN goes down.

I think this is the gold standard for preventing apps from phoning home: Little Snitch

I've never used it personally, but I've heard only good things.

Yes - you're looking for PFSense. There are other options too, but I'm a big fan of that one. I use something similar as my current router, a Core i3 PC with a pair of dual-port server NICs, running PFSense. It has no problem handling NAT, firewalling, Squid proxy, blocking lists of known bad actors, etc.

You can't set up a self-hosted solution that works like Clouldflare, at least not without spending a boatload of money.

Cloudflare has 151 locations spread around the world and incredibly complex infrastructure in place.

Cloudflare offers a free tier that includes world class distributed DNS combined with free CDN service. It's unbeatable.

Answer: Just use Cloudflare.

It prevents website requests from hitting your host directly. If you have someone who helps you with your site they will know.

When you get a lot of traffic from reddit, it tends to take websites down - just fyi, so your site isn't down with the attention here.

https://www.cloudflare.com/

It says it is made by NoAdBlock. I don't know, but they might be associated with Cloudflare. But if it's not Cloudflare, then maybe we could report it for bad behavior, etc?

EDIT: Cloudflare has an abuse form that allows reporting malware. I'm pretty sure that from the user's perspective, this qualifies as malware since it's intentionally causing breakage.

If the server really won't come back, we shoot it off the starboard bow.

....what I mean is, it's a very troubled piece of software from CloudFlare for connection acceleration and response differential compression. But either due to our scale or we just have monitoring detailed enough to notice, it has severe issues. Enough that we disabled it for now.

Also, happy cake day!

I’d recommend OPNsense over Pfsense. The owners of Pfsense (Netgate) do not seem to understand the open source process at all, to put it lightly.

There's a couple of things you could do. If you had two separate internet connections, you could use load balancing to get a faster connection by combining the two. Connectify Dispatch works great for that.

If you want a faster connection to your local network, you could use LACP teaming to bond the two connections together to make a 2Gbps virtual interface. You will need a switch that supports LACP though, and it's tough to take full advantage of this unless you have multiple client machines download files from your computer. Another benefit of this is if one port happens to fail, it will continue to run off the other port. Really only helpful for servers though that need 100% uptime.

Of you could turn the computer into a simple Pfsense router.

Or you could just bridge the connections in Windows making them act similar to a switch. Gives you the possibility to plug other ethernet devices into it, for example if you want to use your laptop simultaneously at your desk, you could plug it into the other ethernet port if your don't have a switch nearby.

If you were a financial institution, you'd know that Cloudflare has a bunch of relevant certificates. Since I assume you are not a financial institution, I don't know what regulations you have to follow, but chances are that Cloudflare can handle your data.

However no one knows since it's your data and regulations might say you need to get this confirmed for all vendors you use, which would include Cloudflare.

But technically you are right: Cloudflare receives the plain text data from the backend server (transport might be HTTPS, but it's repackaged). See also here. Whether this is an actual problem or not depends on your regulator and the certificates Cloudflare has.

What is usually the bigger problem is that PIs can be access by wrong people (e.g. I log in and see your PI).

Ne pričajte gluposti, to je stranica od cloudflarea, koja kešira stranice jutarnjeg, a usput i štiti od ddos napada i slično. Možebitno se spajaš sa neke ip adrese koja je označena kao problematična u njihovom sustavu.

> the device they use needs further explanation

Probably an MitM proxy like this one. It's very simple to do: you just need to install a custom SSL cert on the phone, which allows any gateway with the corresponding SSL key to decrypt all the traffic. The same tech is used by many corporate firewalls to also inspect HTTPS traffic, and decent prosumer firewalls like pfSense can do it, too.

There are other people in the thread going on about SSL certificate pinning (which can prevent the above MitM interception), but Google don't appear to be using hard pinning: I've seen plenty of people use Google services from Android and Chrome on corporate networks that have such SSL-intercepting firewalls without issue. I just MitM'ed a couple of Google apps on my iPhone without any problems.

> It is a scare piece.

It's certainly at least a bit stupid. The phone is recording your location via GPS, which is obviously unaffected by turning of WiFi and pulling the SIM.

Not a solution to OP's problem, but for overall bandwith allocation I use NetLimiter, it shows bandwidth used by different applications separately, allows to set individual limits, and shows to wich IPs data goes/comes from.

(On a "meh" side - it's pretty expensive, but I couldn't find freeware programm that dose that.)

https://www.cloudflare.com/plans/

There you go. They will just quit the free service the moment they decide you need to. If you get enough traffic I give a good bet that the sales department starts mailing you.

You should just put cloudflare in front of your website. It’s free for personal sites, or $20/mo for pro plan. Then you never have to worry about this on accident (reddit hug) or on purpose (ddos).

https://www.cloudflare.com/plans/

Note: I do not work for cloudflare, I just use them at work.

https://www.pfsense.org/

Download it, try it, enjoy it.

If you have BSD / Unix experience, awesome, it'll give you even more control over it. If you don't, no worries, the router has a web interface, and it's REALLY straightforward and has a lot more features and power than a bog-standard router (hell, you can run an OpenVPN server on it, plus IPSEC, plus monitoring and traffic logging, plus QoS - this is the kind of thing you'd pay Cisco / Juniper a couple of grand for).

Truly random RNG via hardware is a thing in classical computing. Probably the most famous method is by watching lava lamps.

One thing I concluded over the years is that it's (almost) a lost battle to only try to use software that don't collect user data -- heck, even software that used to be privacy-friendly, like this one, can suddenly turn evil.

Instead, I started to consider all software to be suspicious, and resort to using application firewalls at all times, on all the operating systems. Is there a need for software X to connect somewhere? No? Blocked in full. Yes? Then I analyze what it sends and where, and if it still works when blocked. Don't know? Well, the application firewall will log any attempts for you to investigate.

For Linux, there OpenSnitch for that purpose: https://github.com/evilsocket/opensnitch

First pick an opensource firewall

http://www.mondaiji.com/blog/other/it/10175-the-hunt-for-the-ultimate-free-open-source-firewall-distro

Here i will help... Buy one of these

https://www.pfsense.org/products/

Then lock out Microsoft

Start by adding these address to your Firewall.

• dns.msftncsi.com
• ipv6.msftncsi.com
• win10.ipv6.microsoft.com
• ipv6.msftncsi.com.edgesuite.net
• a978.i6g1.akamai.net
• win10.ipv6.microsoft.com.nsatc.net
• en-us.appex-rf.msn.com
• v10.vortex-win.data.microsoft.com
• client.wns.windows.com
• wildcard.appex-rf.msn.com.edgesuite.net
• v10.vortex-win.data.metron.life.com.nsatc.net
• wns.notify.windows.com.akadns.net
• americas2.notify.windows.com.akadns.net
• travel.tile.appex.bing.com
• www.bing.com
• any.edge.bing.com
• fe3.delivery.mp.microsoft.com
• fe3.delivery.dsp.mp.microsoft.com.nsatc.net
• ssw.live.com
• ssw.live.com.nsatc.net
• login.live.com
• login.live.com.nsatc.net
• directory.services.live.com
• directory.services.live.com.akadns.net
• bl3302.storage.live.com
• skyapi.live.net
• bl3302geo.storage.dkyprod.akadns.net
• skyapi.skyprod.akadns.net
• skydrive.wns.windows.com
• register.mesh.com
• BN1WNS2011508.wns.windows.com
• settings-win.data.microsoft.com
• settings.data.glbdns2.microsoft.com
• OneSettings-bn2.metron.live.com.nsatc.net
• watson.telemetry.microsoft.com
• watson.telemetry.microsoft.com.nsatc.net"

Or just use linux... But you know Fuck Microsoft and their bullshit.. Just starve them of the data and use the shit out of their products for free.. Make them regret giving it away for free. It is the best solution..

Edit most of you know that host file edits dont make a difference as they are hard coded into DNS.aspi and cannot be bypassed through the host file.. External firewall and route them to 0.0.0.0

I am a big fan of Cloudflare. I would recommend using an Argo Tunnel to expose the service to Cloudflare. Set up basic rules to block non-US traffic, block bots, and then configure Access, which is a zero trust identity aware proxy. All of these are free from Cloudflare.

CloudFlare has denial-of-service attack protection. Normally that screen looks like this (I got that straight from the CloudFlare website as you can tell by the URL).

I've seen some websites use it. Voat was going down so much, I guess that's their solution.

A small cheap x86 business mini / ultra mini box (dell/lenovo/HP). Any 6th+ gen intel CPU, 4gb ram and whatever disk space will be fine for your needs. Stick an intel dual NIC card in it.

Install OPnsense: https://opnsense.org/ and away you go. OPNnsense will give you the power of a huge enterprise level router/switch for basically little cost besides some cheap hardware and some time.

The ADSL modem is another story, you might be stuck with that depending on your ISP.

edit: /r/opnsense

>You was from Denmark right

yep... it was kinda hard getting the pfsense box... first i had to go to https://store.pfsense.org/ and then i had to click BUY! can you imagine that?

you could also go to https://www.pfsense.org/partners/locator.html and find a local reseller. :)

As an alternative, you can do this on an amd64 or x86 platform with PfSense which is a very popular FreeBSD based firewall appliance.

https://www.pfsense.org/download/

PfSense has available a number of packages built from open source projects to install additional functionality, for instance antivirus and caching proxy.

Since it's based on a PC platform, you can build a router with as much or as little processor, RAM and disk as you wish. This allows you to run what is considered by many a commercial grade firewall on a device which consumes no more power than the TP-LINK router.

Another advantage of being PC based is that you can run it as a virtual machine.

Using Plex violates their TOS section 2.8. Here is the link https://www.cloudflare.com/terms/

They don't limit bandwidth but I heard some people get temporary banned for serving binary content (Plex). The ban lift automatically after some period of time as far I can recall. They really don't give much attention if your traffic is not that much.

I don't think it's right to encourage people use cloudflare in their Plex setup. As it clearly violate their TOS.

I solved this problem by running Netlimiter 4 on my Windows 8.1 machine. I agree with you-- if the bitcoin node eats up ALL my upstream bandwidth, then my internet connection becomes un-usuable. So the only way is to limit it.

Now I run my bitcoin node 24/7 and can watch movies and play games and it's fine :)

I have DSL with about 1.5MB downstream and 150KB upstream, so I set NetLimiter to limit Bitcoin Core to 1.17MB down 100KB upstream. I found that was the max before I noticed bandwidth performance degradation in other areas. I highly recommend this solution as it's been working great for me.

If it's static-ish content you could use CloudFlare. We do it for large sites and, for the most part, it works well and saves on bandwidth.

It sits in front of your website and caches your content (also adds some security). So most requests never hit web host. Google Analytics and similar will all still work as they operate client side. Your web server logs, however, won't show most of the traffic unless you put some special things in place.

It's also mostly free.

Good luck!

>I know how to use iptables to block ip addresses, but I want something more automated.

Fail2Ban willl automatically ban IPs after repeated failures.

I'm running pfSense. It's very flexible, and a good learning experience for me. I've got it configured to block ads at the router level via the firewall and DNS based blocking, so the vast majority of ads (including phone ads!) are gone without having to install anything on connected devices.

thanks!

the desktop parts is a firewall/router running pfsense for load balancing between multiple (slower) internet connections

the laptop parts is for gaming almost classic titles like the very first Command & Conquer, Red Alert, Quake 3, Abe's Odyseee/Exodus... for these older games that you'd spend hours and hours, it made sense to have a lower power rig to save on electricity.

> when you talk about pfSense you're really talking about the UI atop freeBSD.

Many people have this opinion, all of them are wrong. There are actually a lot of patches to FreeBSD base and some of the packages, in addition to the GUI. The "GUI" is also the configuration layer (the same PHP runs both).

In answer to OP: yes, there has been a fair amount of attention on the PHP GUI in the last year. You can see where people have reported bugs, we've fixed them, and made new releases.

https://www.pfsense.org/security/advisories/

Blocked by only two ISPs; how pointless.

Change your DNS and I bet it'll works again. The way the government forces ISPs to block sites is insanely easy to bypass and legal.

https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/

Speak to HotWheels ( email : .) as he OWNS 8chan , report CP to CloudFlare. VPNs will not protect pedos.

If any laws are being broke, get them v&. I hate pedos , but I don't really understand what it has to do with KIA as we have no power over 8chan or ownership.

Also, If you are actively seeking CP on any website. I suggest you get some help.

If you run Apache, SSH, FTP, or other server services, I highly recommend fail2ban.

"sudo apt-get install fail2ban", then read the wiki pages about configuration.

This just means their SSL certificate is out of date and they need to update it. Nothing that they already have can be leaked, only whatever you may input/bring up while they have no certificate if say there was somebody malignant redirecting or listening to that data, which is unlikely. Just don't visit the site while they didn't update their cert.

https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/

Firefox also supports some additional security measures that Chrome doesn't fully or natively implement. It's also got a great mobile experience for people who like to read.

If you're saying wanna-be admin as in you want to learn how to do these things, the best way to do this is to set yourself up a pfSense router and learn how to use it. It's open source and you can install it on pretty much any machine with two NICs and do what you're after. I had it running on a old celeron PC for years that served my entire home network, sometimes with three youtube videos and netflix going all at the same time without noticable issues.

You set up OpenVPN on the pfSense router, connect to that from anywhere, then interact with the rest of your network like you're plugged into it locally. This way, the only thing that's exposed is the OpenVPN port, which is going to require keys to get into.

If you're ~~extra paranoid~~ security minded, you can go on to harden your servers inside your network to add additional hurdles to attackers. If your router is compromised, sure an attacker is in your network, but now they've gotta take the extra step of breaking into your server.

Security by obscurity is dead. Picking a non-default port number isn't going to help you. Botnets scan everything all the time now, attacks are automated. It used to be you had to have something of value to really worry about attacks, but nowadays they're just looking for another zombie to add to the horde.

-rwsr-xr-x is likely using pfsense. You can install it on an old computer and use that as a router instead of buying a whole new device. There are several ways to do this inside of pfsense like using DNS, Squid / Squidguard like above, and Dansguardian. Check out /r/PFSENSE and https://www.pfsense.org/ if you're interested.

This worked for me in pfSense without throwing any errors:

1. Firewall -> Aliases -> IP -> Import
2. Give the Alias a name. I.e CloudflareIPs
3. Copy and paste the Cloudflare's IPv4 list and IPv6 list (if you use IPv6) and hit "Save".
4. Create your firewall rule using the alias "CloudflareIPs" or whatever you named it to.

Done.

Det er nettsiden som sender sertifikatet, og nettleseren din som validerer sertifikatet. Alle moderne nettlesere gjør dette.

Dersom klienten er en app (og ikke en nettleser), er det opp til klienten å validere sertifikatet. Jeg vet at det for ett par år siden var veldig fokus på at en del apper ikke gjorde dette rett, men vet ikke noe om hvordan status på det som trusselvektor er i dag. Både iOS og Android har i dag APIer som gjør dette automatisk (og dette er standard APIene), slik at utvikleren ikke trenger å tenke på det.

Du kan lese mer her: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/

I don't know what you are on about. Discord uses HTTPS, that means any communication between your client and the server is encrypted, which makes every JSON payload also encrypted, so your message cannot be read.

Just run a Wireshark and send some messages. All you are going to see is an SSL stream between you and CloudFare see here: https://www.cloudflare.com/case-studies/discord/

> until the first people go to jail because of something they wrote on Discord. Censorship, surveillance

This is just straight up bullshit, the reason why your so called "surveillance and censorship" is possible is because Discord allows bots to exist. Bots behave just like a normal account, except they can be automated for example to respond in a way to certain messages, log messages, user activity and so on. There's a ToS for bot usage, which states that logging user data without notifying the user or allowing them to opt out is strictly illegal. What you can do against it is either don't join or message in that particular discord server. Also the bot must be invited to the server, meaning only the server owners can do it.

Hey /u/Fatherlorris I noticed that whenever you post a new comic, your site loads like s... well, poorly (I'm from Europe).

May I suggest using Cloudflare? There's a free plan that should be enough.

I'm going to have to disagree with this, especially in regards to small businesses.

A firewall is typically used as a perimeter security device, and should remain separate from any other systems hosting content, especially when said content is available to the internet.

It doesn't take much hardware to build a pfSense based security appliance (software is free), and run your hosting services on another system.

Binned a Sonicwall for a pfSense box at my previous employment. I'm currently using pfSense running on a re-purposed Citrix CAG just for captive portal public wifi. We have ASAs so I'll take what's been said here on board and see how far off the EOL is.

Let's Encrypt is great. Cloudflare is terrible.

Here are some reasons not to use Cloudflare: * It's not really free. It's like a drug dealer "First ones free". * Shared SSL certificates * Forced to use Comodo for SSL * Can't use Let's Encrypt for SSL * Can't use your own SSL * Decrypts SSL traffic, breaking End-To-End Encryption. * Cooperates with tyrannical governments * Provides services to terrorists, child pornographers, and so on * Has no "vetting" process for new customers * Does not protect your website from hacking * Doesn't provide any value to 99% of websites * Cloudflare's CEO is an ego-maniac who believes he controls the entire internet.

> Keyless SSL requires that Cloudflare decrypt, inspect and re-encrypt traffic for transmission back to a customer’s origin.

Source: https://www.cloudflare.com/ssl/keyless-ssl/

By doing that, Cloudflare is violating the trust between users and server operators and making the SSL certificate itself worthless. A website cannot be considered "Secure" if the traffic is decrypted by a man in the middle.

So to answer your question, ditch Cloudflare and use Let's Encrypt.

For young one's, I try to do educational focused OS's.

https://wiki.sugarlabs.org/go/Sugar_on_a_Stick

Steam is standalone. The only options are family library sharing and disabling the thousands of adult/hentai games they are flooded with.

Anything beyond that I deal with at the router/IPS with proxy filtering(https://opnsense.org/). As far as youtube/instagram/etc, that's a pedo rabbit hole. Best you can do there is pay attention to questionable stuff, because child grooming is apparently fine, but being conservative gets you banned.

It's hard to steal something that is BSD licensed.

They are freely giving credit on their website as well: https://opnsense.org/about/legal-notices/

(Note, I am a pfSense user currently but this drama is the root cause of me switching to an Ubiquiti solution for my next firewall/router purchase in January.)

Well the PFsense sizing guide on their website recommends multiple cores at more than 2GHz each when working with over 500Mb/s speeds.

I think you've done well to get the performance that you have out of that poor little atom ;-)

I personally think you will be fine with a quad core xeon at 1.6GHz or so (or two dual cores) as for 100-500Mb/s they recommend one core at 2GHz.

Just make sure you get good Intel network adapters - I've had decent experiences with getting Realtek ones up to 1Gb/s but it seems I'm in a minority.

Ak beží na normálnej infraštruktúre (nie divné minihostingy v Číne, Turkmenistane, Rusku), tak je fajn nahlásiť zneužitie administrátorom (napr. na Cloudflare).

Quote from this article.

"Some bots can get past the text CAPTCHAs on their own. Researchers have demonstrated ways to write a program that beats the image recognition CAPTCHAs as well. In addition, attackers can use click farms to beat the tests"

Basically, there are ways around it. Read the article for more info

That's an interesting article, thanks for sharing! As far as I am aware, even by blocking the connections using iptables (or any software firewall), you're still getting the traffic which might hit hard your CPU, and it can bottleneck your bandwidth as well.

​

As far as I know, the most efficient and definitive way to mitigate a DDOS attack is by "blackholing" the traffic, but that requires a network infrastructure with a lot of bandwidth, that's why cloudflare is so popular when protecting from DDOS attacks - that traffic will never hit your infrastructure.

There's a bit more context on this article, if you're interested: https://www.cloudflare.com/learning/ddos/glossary/ddos-blackhole-routing/

Ну схоже що це не біржа заблокувала нас, а Performance & security by Cloudflare.

Може ддосили з нашої территорії або ще щось.

The site uses CloudFare services to protect itself from attacks such as DDOS and uses a GoDaddy domain (the url).

If you want to stop people from accessing it then everyone should file a complaint so that it could be brought down.

https://supportcenter.godaddy.com/abusereport and here: https://www.cloudflare.com/abuse/form

The answer to all your questions and all the security issues is by dropping in CloudFlare in front of your domain. Gives you DNS that propagates within seconds, masks your networks public IP behind their servers and supports dynamic IP addresses. Since you're on a home network the speed is definitely not on a server provider level, but most of your assets will be cached by CloudFlare and served directly from their high bandwidth servers. You also get a very powerful DDoS protection and security overall. On top of that you get a SSL certificate for your domain. And the best part of it is that all of this is completely free.

To enable CloudFlare on your domain, simply change nameservers of your domain to CloudFlares nameservers and then wait for the change to propagate - after that your site will be enabled and you can handle the DNS directly from CloudFlare, just make sure your A record goes through CloudFlare (the cloud logo) and not bypasses it.

I've found that moving off port 22 already drops scans by 99.9%, so on a public server there's really no reason to not do that.

Then do 1) fail2ban or similar, and 2) port knocking

http://www.mikrotik.com/ is the manufacturer, http://routerboard.com/RBMetal5SHPn looks like the WiFi gear in question.

edit: adding MFG descriptor:

The new, completely waterproof, rugged, and super high powered RouterBOARD Metal. The serious outdoor wireless device!

Fully sealed, industrial design metal case, powered by RouterBOARD and RouterOS. 1300mW of output power - to reach the last mile, in any conditions! It comes with L4 license, so you can attach your favorite 5Ghz antennna to use it as an AP, to make wireless point-to-point links or as a CPE- whatever you prefer!

It has a built-in N-male connector, and pole attachment points, so you can attach it to an antenna directly, or use a standard antenna cable. LED signal indicators make it easy to install and align.

Package contains Metal-5SHPn, mounting loops, PoE injector, power adapter

Backblaze is part of the bandwidth alliance: https://www.cloudflare.com/bandwidth-alliance/

> Our partners have agreed to pass on these cost savings to our joint customers by waiving or reducing data transfer charges.

In theory, you could store in B2 and proxy through R2 for savings, depending on the egress rate they charge into R2. Though it's all theoretical until the product is live.

You mean the PTR Records shown?

What is PTR?

https://www.cloudflare.com/learning/dns/dns-records/dns-ptr-record/

"DNS PTR records are used in reverse DNS lookups. When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name to the IP address. A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name."

An IP of: 45.80.90.125 will have a PTR of 125.90.80.45.in-addr.arpa (the reverse of the previous IP with a in-addr.arpa appended at the end)

Nothing is compromised on your system.. PTR, DNSSec, RRSIG and others are all part and parcel of the current DNS protocol.. It is behaving exactly as it should be..

So, I like what you're putting out overall, but I question the level of intention you're applying to "them"

I don't doubt anything about what you've written with regards to the nature and sophistication of the hardware and software attached to our markets... but I do question as to whether those forces are being intentionally directed toward retail order flow, or abused against retail order flow.

I suspect what's really underlying what we see is the equivalent of DNS amplified DDOS attacks (link your compsci quant this):

https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

To break it down: My theory is that the shorts are intentionally putting out signals (through the way they're performing wash trades, down to timings, volume, and size of peaks/dips) to simulate otherwise normal market behaviors and cause OTHER organizations to help with their shorting.

To put it into a quick analogy, this isn't someone's D-Wave system run amuck on its own and shorting, like "The Sorcerer's Apprentice" in Fantasia, but rather the shorts intentionally playing "harmonious selling music" in contrast to retail's buying to cause such systems monitoring the market to also join in on keeping down buy pressure / not recognize the profit opportunity.

I can't think of any immediate ways to discriminate between these two potential underlying causes though, so perhaps the distinction of intention is unimportant.

Do not send emails, send a formal DMCA Take Down notice. I have success in the past submitting a DMCA notice here:

https://www.cloudflare.com/abuse/form

There are numerous examples of DMCA notices on Internet. Adapt yours according. Is not necessary to register your copyright, but i noticed everyone work faster when you register and submit your copyright registration documentation.

You can submit the same notice to the Cloudflare, the host and directly to the website.

An effective way is to report them to Google or to Cloudflare (only if they are actually using CF, check if they're SSL certificate is from CF).

Cloudflare usually responds to abuse reports within a few hours. Google takes some more time apparently...

​

Google phishing report form

Cloudflare abuse report form

Taking this a step further.. If your router allows for custom firewall rules, you can grab the cloudflare IP set that will talk to your server and only port forward if from one of them.

*edit, https://www.cloudflare.com/ips/

We don't really know what goes on inside DDG, but at least they've promised to not track your requests, and that's one of their differentiators. If they are keeping their promise, there's no record of your search.

Now, suppose they began to use a CDN. Cloudflare, for example, states they do log requests. So then, there would be no difference between the big guys and DDG.

My concern is that creating your own rules is impractical and expensive. Blocking by IP Address? Fools errand in the world on botnets. Creating my own string matching for SQL injection? There are so many ways for these to be written. Maybe I'm missing something but I prefer how CloudFlare does this.

This has been some time ago, pfsense had a history of being dicks to an alternative called OPNsense. So to note, some folks over at /r/homelab would recommend opnsense over pfsense instead.

Or just use a 3rd party firewall and block everything, approve on demand. I use https://www.glasswire.com/ on Windows, https://www.obdev.at/products/littlesnitch/index.html on OS X

Going out of your way to uninstall updates and disabling deeply embedded settings is likely not a good long term solution.

Because it's a fully fledged, opensource, software firewall that can run on any number of hardware configurations with a shitload of services, addon support and super good firewalling.

https://www.pfsense.org/about-pfsense/features.html

I use a pfSense firewall at home. There is a plugin called pfBlockerNG that allows for Geo-IP blocking very easily. Click to install the plugin, select the countries you want to block (or select all and unselect the ones you want to allow), and activate it.

Pf Sence can do all you ask for,performance is not an issue as long as the pc running the router has enough ram(1 gig) and a decent cpu. All the documentation and some examples can be found here: https://www.pfsense.org/ The os is very powerful and can require a bit of getting use to because it is based on bsd but with a bit of practice it is easy.

A good VPN that doesn't store logs should suffice. Check out /r/VPN. ~~The best thing you can do is buy a router that supports custom Linux firmware such as dd wrt and apply the VPN directly on it so no data is leaked.~~ VPN Software should suffice it seems. You could repurpose an old pc and make it into a linux router with pfsense (this stuff is amazing) : https://www.pfsense.org/

There are also ways to have a failsafe so if the VPN fails, no data is leaked. Furthermore, if you pirate, a seedbox or using Usenet and downloading via SFTP would be very secure : /r/torrents, /r/seedbox, /r/Usenet, /r/privacy.

edit: changed router info. Also, you should look for a VPN with one or more servers/gateways that are located near AU to ease bandwidth loss.

Whenver I see someone say something so explicit as "don't want to rely on a 3rd party like CloudFlare" all I can think is it is your loss.

Cloudflare is terrific, and their "access" product would probably exactly what you are looking for. Only it will work faster and better than anything you could implement yourself.

https://www.cloudflare.com/teams/access/

https://www.cloudflare.com/en-au/learning/bots/how-captchas-work/

A user has to identify the images that contain certain objects, such as animals, trees, or street signs. If their response matches the responses from most other users who have submitted the same test, the answer is considered "correct" and the user passes the test.

Yes, every time you create a new TLS connection it does a new handshake and generates new ciphers used only for that session. Ditto for SSH and basically every other encrypted protocol still in use. This is the basic foundation of modern secure infrastructure. Even at Chili's.

https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/

I use Cloudflare for all my sites.

It's completely free to get an SSL certificate. Instead of installing a certificate, you just point your nameservers at them (easy to do in your hosting account) and turn SSL on in the settings.

You can also set up a free custom rule, which forwards all traffic from http to https.

Another great (free) benefit of cloudflare, is you can cache your site and have it delivered over their CDN. This makes your web pages load quicker and uses less data for your users.

In CloudFlare you can enable "I'm Under Attack Mode" which will verify that visitors to your site are not bots if you are under Layer 7 attack. Also, I recommend firewalling off all traffic to your machine except the CloudFlare IPs if your server is under direct attack. You can find a list @ https://www.cloudflare.com/ips

My vote is for Mikrotik RouterBoards, probably an RB2011 series. i haven't used Ubiquiti EdgeRouters so I can't do a direct comparison, but the RouterBoards have very full features and great management tools (Web UI, Winbox client app, or commandline). You can play around with RouterOS (which is just a heavily customized Linux distro) by downloading & running in a VM (or probably even install it on x86 hardware, but I've never tried that).

Can also check out /r/mikrotik

> Project Multatuli's website was DDoS'D after publishing an article critical of the police's handling of a statutory rape case in Luwu Timur

I think I read somewhere that Cloudflare has a subscription plan for NGO or something, probably want to use that.

Edit: Yes, Project Galileo.

DDoS against servers is the best and easiest way to take down a site, probably DNS resolvable hosts.

It not only can affect people trying to get to the servers (Domain Name won't resolve) but can cause internal problems if they're (the company) is dependent upon external resources such as Ping, Google or other authentication methods.

Even though the company may be up, access would be blocked.

https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/

The other options would be supply-chain attacks, shell-shock and bouncy-castle type vulnerabilities, not to mention internal compromise of users / systems which we see with ransomeware.

But externally, bot-based accounts performing a DDoS is one of the hardest to defend against.

The Fastly issue was a configuration problem due to a valid config being pushed, and encountering a bug. 1-minute to detect, hours to remediate.

No, that's not how random number generators work. They will always give the same results from the same seed, as long as you don't change the RNG or its implementation.

That's why some people go through elaborate lengths to get a truly random seed for their RNG: https://www.cloudflare.com/learning/ssl/lava-lamp-encryption/