Yes.Anyone doing it now?
Anything and everything I need at that moment.What is your stack?
Whats a good dynamic dns client?FreeBSD firewall on separate physical machine, also includes a nginx-based web proxy, for the web servers behind the firewall. Several web servers, based on FreeBSD, Apache / nginx, MySQL / Sqlite / flat files, PHP + frameworks on top of that. Using a Dynamic DNS client to get "static" hostnames for my web sites.
Yes.
Anything and everything I need at that moment.
I'm still using dns/ddclient. Yes, a dynamic DNS client updates your hostname whenever the ip address changes.Whats a good dynamic dns client?
does that match your hostname to whatever ip your isp gives u?
Yes.Anyone doing it now?
What is your stack?
pf
, with self-written rules. The machine has two ethernet ports in hardware, so that works well for a firewall machine with internal router. Also acts as DHCP and NTP server for inside the house. Used to also be the wireless AP, but I discovered that 802.11 drivers on *BSD were not reliable enough to function in production, and switched to a store-bought AP, which has been remarkably trouble free (this might have changed in the last few years, haven't had time to try it again). No e-mail setup, all e-mail is read using the ISP as the e-mail server. Got rid of sendmail
(way too painful to configure and maintain, did that for 15 years, want to be done with it) and got the tiniest SMTP server I could find, namely ssmtp
. For DNS, I use stock bind
, configured to be authoritative for the internal network, and caching for the rest of the world (with a dual-horizon DNS setup). I should set up dynamic DNS sometime, but our dynamic address only changes once every few months, so it's not worth the effort. I have a reverse tunnel into the machine (which is rather well secured and rather well hidden). For a web server (mostly internal, also accessible via the secret tunnel) I use a stock apache, with certificates from LetsEncrypt.NICEYes.
Stock FreeBSD (11.x, I forgot what x is, latest production version). Small Atom-based machine. Also used as a file server for inside the house, so it has two large disks in a ZFS mirror. Boots of a tiny SSD (I think 32gig), with a second SSD the same size already installed as a spare. External backup disk sits in a big fire-proof safe (actually, it doesn't right now, I had to take it out recently and haven't had time to thread the wires back through the tiny hole in the safe wall). Off-site backup is a portable disk that gets stored at a remote location. The backup software is self-written, and internally uses Berkeley DB (although switching to SQLite is on my to-do list, Berkeley DB is too painful to use with transactions, logging, and locking).
Normal firewall, usingpf
, with self-written rules. The machine has two ethernet ports in hardware, so that works well for a firewall machine with internal router. Also acts as DHCP and NTP server for inside the house. Used to also be the wireless AP, but I discovered that 802.11 drivers on *BSD were not reliable enough to function in production, and switched to a store-bought AP, which has been remarkably trouble free (this might have changed in the last few years, haven't had time to try it again). No e-mail setup, all e-mail is read using the ISP as the e-mail server. Got rid ofsendmail
(way too painful to configure and maintain, did that for 15 years, want to be done with it) and got the tiniest SMTP server I could find, namelyssmtp
. For DNS, I use stockbind
, configured to be authoritative for the internal network, and caching for the rest of the world (with a dual-horizon DNS setup). I should set up dynamic DNS sometime, but our dynamic address only changes once every few months, so it's not worth the effort. I have a reverse tunnel into the machine (which is rather well secured and rather well hidden). For a web server (mostly internal, also accessible via the secret tunnel) I use a stock apache, with certificates from LetsEncrypt.
It also handles some SCADA / equipment monitoring / industrial control functions, using serial ports and ethernet.
Yes, I use a single machine for the firewall/router and for the home server. I know that purists suggest using separate machines. Too much work, for little gain.
Whats a good dynamic dns client?
Static web pages, and a half dozen .cgi scripts that are all written in Python. The typical .cgi script is between 100 and 200 lines long, and gathers information or does things. Not very exciting. No real "apps".
I have a reverse tunnel into the machine (which is rather well secured and rather well hidden).
The trustworthy host has a fixed IP address, so I did that in my pf.conf file. Although honestly, I don't think it makes a lot of difference: If an adversary is dead set on hacking my account (and do it well enough that they have managed to get my personal ssh key), then I have no reason to believe that the "trustworthy host" is any more secure than my home machine.
In the end, security is not about provably making unauthorized access impossible. It is about making it more difficult, so you hope that a determined attacker gives up, and goes after a softer target, and that script-kiddies fail on your relatively low defense.
Old joke: What caliber gun should you carry in bear country? A very small .22, to shoot your hiking partner in the knee when the bear comes.