Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/JulianOliver/statuses/114740154996946278">Julian Oliver (julianoliver@mastodon.social)'s status on Wednesday, 25-Jun-2025 09:19:06 JST</a><a href="https://mastodon.social/@JulianOliver" title="julianoliver@mastodon.social"><img src="https://gnusocial.jp/avatar/9384-48-20250625001906.webp" width="48" height="48" alt="Julian Oliver" style="position: absolute; left: 0; top: 0;">Julian Oliver</a><div><a href="https://toad.social/@grumpybozo/114739494704288862" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/78300" title="grumpybozo@toad.social">🆘Bill Cole 🇺🇦</a></li></ul></div></section><article><p><a href="https://toad.social/@grumpybozo">@grumpybozo</a> <a href="https://libranet.de/profile/clacke">@clacke</a> tunnel solely over VPN, ingress IP set in authorized_hosts and/or ip(6)tables, &amp; to jailed lobby user (no root SSH, even with keys), whose $SHELL is rbash or so, only accessible binary in immutable path sudo, for escalation to root. Jailed VMs should be reached from host over SSH, not outside, no attack surface dilation with VNC, unless over VPN. Should be no VM&lt;-&gt;VM traffic on bridge other than needed (like to MTA via VM), no traffic VM-&gt;host, other than through rev proxy</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5249994#notice-10307518">In conversation</a><time datetime="2025-06-25T09:19:06+09:00" title="Wednesday, 25-Jun-2025 09:19:06 JST">about a month ago</time> <span>from <span><a href="https://mastodon.social/@JulianOliver/114740154996946278" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@JulianOliver/114740154996946278">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Julian Oliver (julianoliver@mastodon.social)'s status on Wednesday, 25-Jun-2025 09:19:06 JSTJulian Oliver
in reply to
- clacke
- 🆘Bill Cole 🇺🇦
@grumpybozo @clacke tunnel solely over VPN, ingress IP set in authorized_hosts and/or ip(6)tables, & to jailed lobby user (no root SSH, even with keys), whose $SHELL is rbash or so, only accessible binary in immutable path sudo, for escalation to root. Jailed VMs should be reached from host over SSH, not outside, no attack surface dilation with VNC, unless over VPN. Should be no VM<->VM traffic on bridge other than needed (like to MTA via VM), no traffic VM->host, other than through rev proxy
In conversationabout a month ago from mastodon.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice