Sean Winn

For a start, no longer Cloudflare stuff; I did the DNS CAA stuff for SSL certs and I’d have to remove that for Cloudflare to generate SSL certs with my hostnames in it. So for now, no Cloudflare.

And I’ve “BeyondCorp”‘d my home networks. Previously, to access the admin stuff via web pages, you had to be on a “trusted” device (known static IP handed out via DHCP). I ripped all that out, stuck in a proper reverse proxy for everything that uses single-sign-on and two factor authentication, and is also accessible from the Internet. So anywhere, anytime, any device should be able to do the basics of accessing web interfaces. For SSH, I have to SSH to a jump point that only allows RSA key authentication but that works for me. There’s a few devices that aren’t behind the reverse proxy yet (so they’re now much less accessible mostly). If worst comes to worst I can add “trusted” back to IPs and fiddle with things, but overall I don’t trust devices anymore.

Also playing with noVNC helps – there’s a simple VM running at home that is just a CentOS 7 box to be a workstation. It runs my email, can SSH via RSA keys etc. It also is now running VNC & serves up noVNC via HTTPS…. so I can open any old browser, and suddenly I’m at an X11 desktop (..after typing a password of course). And guess what? That also works via the 2FA reverse proxy…

So… in theory I could walk into an Internet cafe with keylogger and intercepting HTTPS proxy and still have things be secure because nothing they capture is enough to log in permanently. Not that I plan on testing it anytime soon.