Skip to main content

Posts for year 2021

Minimizing my selfhosted attack surface

Tweeking my linux server I'm always fairly wary of opening my selfhosted services up to the internet, just how sure am I that the developer has done the right due-diligence? Thankfully it's relatively simple to at least limit parts of a service accessible to the open internet with Nginx and allow and deny options.


Update

Note: If you want a docker container to access a protected service you will have to set the subnet in your docker-compose file as below:

networks:
  node-red-network:
    ipam:
      config:
        - subnet: "172.16.0.0/24"

Update 2

A more generic change you can do is set the default address pools in docker's /etc/docker/daemon.json file. You then just have to whitelist 172.16.0.0/16 subnets

{
  "default-address-pools":
  [
    {"base":"172.16.0.0/16","size":24}
  ]
}

First you should store this in a file, that way you can then include it multiple times, this will make it trivial to update in the future. Create the file include_whitelist in your nginx folder, adding your own allow options between satisfy any; and deny all;.

satisfy any;

# allow localhost
allow 127.0.0.1;

# allow a single address
# allow 000.000.000.000;

# allow LAN network
allow 192.168.0.0/24;

# allow WLAN network
allow 192.168.2.0/24;

# allow VPN network
allow 10.1.4.0/24;

# drop rest of the world
deny all;

You then have to include the file in your nginx config. Here I am using TT-RSS as an example, Note that I'm excluding the API and the public.php by having it in a separate location block without including the include_whitelist. This allows me to keep accessing TT-RSS on my mobile phone through the mobile application.

  location ^~ /tt-rss/ {
      include /etc/nginx/include_whitelist;

      access_log off;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass http://127.0.0.1:8280/tt-rss/;

  }

  location ^~ /tt-rss/api {

      access_log off;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass http://127.0.0.1:8280/tt-rss/api;

  }

  location ^~ /tt-rss/public.php {

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass http://127.0.0.1:8280/tt-rss/public.php;

  }

For Node-Red I wanted an API endpoint for Tasker on my phone. Thankfully this is just as easy to define in Node-red as it is in nginx. In Node-Red open your GET node and just add another folder.

Add and extra folder to your Node-Red endpoints

An example of the Node-Red nginx configuration. Again just like the TT-RSS example above, I have excluded an api subdirectory by having a separate location block.

  location ^~ /node-red/ {
    include /etc/nginx/include_whitelist;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_pass http://127.0.0.1:1880/node-red/;
  }

  location ^~ /node-red/api/ {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_pass http://127.0.0.1:1880/node-red/api/;
  }

Now only your API endpoints are globally available. If like me you use a firewall, throwing a convenient geo-block up in front you can lower the exposure a bit more.


Removing 3g modem from a Kindle Paperwhite 2

Why do I need the cloud? Do I need the cloud connectivity on my kindle everywhere I go? Probably not.

A few years ago I received an old Kindle 3g Paperwhite 2 (2013) 6th from my mother. She wasn't a fan of the screen and decided she preferred a full tablet for reading while I quickly fell in love with the e-ink screen. However my use-case involves mainly e-novels/websites I scrape and upload via Calibre. Given how privacy conscious I have become, and how much of a power drain a 3g modem can be, I've basically had it in airplane mode since I received it.

But walking to my desktop to sync books when the device has wifi capability felt wasteful. Searches on the internet proved fruitless on ways to disable the 3g.

Modular hardware

While searching for a teardown video to determine what the internals even looked like I stumbled upon this video for an older kindle model where it was pointed out how modular Kindle hardware really is. After seeing the wifi paperwhite internals and seeing this video I felt it was likely they were still utilizing this modular design method (after all, if it works), so I cracked open my kindle following this ifixit guide.

Well that was simpler than it looked

Thankfully removing the 3g modem is a non-destructive process (apart from the glue when removing the bezel).

Kindle paperwhite 2 internals

  1. Is the 3g antenna - I didn't remove this.
  2. Is the 3g modem - Held in by 4 screws and attached with a tiny connection plug.
  3. Is simcard slot - Simply push the tray lid in the direction of the arrow to open.

3g Modem removed

  1. Is the 3g antenna connector - This is a simple push connector. A firm pull up away from the board will disconnect this without damage. I used some tape to secure the wire for re-assembly
  2. A loose metal washer, I secured this back in place with the screw I removed previously.
  3. A loose metal washer, I secured this back in place with the screw I removed previously.

Re-assembly

This was simply a matter of re-placing the board, screws and lightly clamping the bezel back in place. The glue on the bezel was, thankfully, still sticky enough to re-attach without any issue. As the bezel has no mechanical stresses on it I don't see this ever being and issue.

My next steps

My next steps where to jailbreak/root my kindle to install a couple of useful tools (i.e. a firewall). I plan to go over this in detail along with my remote book managment solution in another post so Stay tuned.