this post was submitted on 22 Nov 2023
6 points (100.0% liked)
Self-Hosted Main
21 readers
1 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
For Example
- Service: Dropbox - Alternative: Nextcloud
- Service: Google Reader - Alternative: Tiny Tiny RSS
- Service: Blogger - Alternative: WordPress
We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.
Useful Lists
- Awesome-Selfhosted List of Software
- Awesome-Sysadmin List of Software
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Clearly opening RDP port on internet. NEVER.
What do you mean by "clearly". Open RDP without password protection?
I often use RDP to access my desktop Windows 10.
The password isn't enough. It's not a hardened protocol and vulnerabilities are found in it with some regularity. There have been unauthenticated RCEs before, ie nightmare scenario.
Those vulnerabilites come from humans clicking on files they're not supposed to click on. NO way of communication is secure against that. Not even the magic of Tailscale. RDP offers 2FA and has an encrypted connection. It's fine!
Even Microsoft recommends against opening rdp to the web and to use a VPN instead.
You're playing with fire here.
As far as a few google searches got me: No, they don't.
Lol, I work at an attack surface scanning company. Every freaking company I talk to, with very few exceptions, has at least one of these. If not a whole infrastructure. Then they cry, "how did we get ransomware?"
Psa for you guys that rdp over the net, turn that off, and use a VPN like wire guard or tail scale, or use something like apache guacamole.
Don't try to be clever and change the port from 3389 to something else either
Scanners can fingerprint traffic and just blast the other ports instead
I (foolishly) did this a few years ago and luckily I had account lockout enabled
Constant attempts all day long - they were even able to enumerate local users and try to log in as them (fortunately they never could cause the passwords were random keepass ones)
Don't do it, seriously
What is wrong with that? Don't they still need correct credentials to connect?
The service itself is insecure. You need to hide it behind a more secure setup if you want to expose it to the internet. It's been a long while since I tried, but I have some foggy memories of an RDP Server that would encapsulate the connection in an SSL tunnel and forward the connection to the remote machine rather than exposing the RDP client itself to the internet.
Definitely do your research on how to do it securely before you just set it up and open it to the wild.
VPN FTW
Oh sure, VPN is definitely the preferred way if you already have the infrastructure in place. My experience with the front-end RDP server was years ago as the sysadmin for a company. My experience is likely very out of date, and was very corporate-focused, rather than for an enthusiast.
Nowadays I try not to touch Windows, and haven't used RDP in years.
These days there are so many bots scanning that you have to be so careful.