C++ developer. Decided to switch to Lemmy after the Reddit API fiasco.

  • 8 Posts
  • 16 Comments
Joined 1 year ago
cake
Cake day: June 26th, 2023

help-circle
















  • Correct. As Lemmy (and the entre Fediverse) is decentralized. The only people can do anything are the admins of the instance. If they fail to take action. other instance owners have the choice to completely de-peer that instance. Which will make that instance and the users on it unavailable locally. At the high collateral damage. Like how Gab (IIRC was a far right instance) is blocked by most major Masdoton servers.

    There is no way to globally ban any community and/or instance.



  • Not professional sysadmin. I run my homelab and handles a few servers at work. I don’t use IDS. So may be irrelevant.

    • WAF to stop HTTP parameter pollution and request smuggling
    • Fail2ban on SSH and move ssh away from port 22
    • Setup LAN recursive resolver and disallowed outbound raw DNS

    For me, a lot more emphasis is on defending the application

    • Setup systemd unit hardening
    • Use Landlock LSM to whitelist directories (modifying source needed). Stops directory traversal and command execution
    • TLS or stunnel between application and database
    • Point DNS to local resolver
    • LD_PRELOAD hardened allocator

    I’m currently looking into the Linux port of pledge to further reduce post exploit attack surface. But the project is not mature enough for production, yet.






  • clehaxze@reddthat.comtoAsklemmyLemmy is confusing
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    That’s the exact point. reddthat.com or lemmy.world servers can blow up into pieces and none of users living on other servers would be affected. Unlike Reddit, where a single company can decide they want to do something stupid and everyone had to obey.