Hello!

I’ve spent a lot of time struggling with Hetzner’s KVM console, there are a lot of problems causing severe issues with settings up passwords and passphrases. I just thought I’d create this “guide” to get things rolling, for everyone who faces the same issues I’ve faced.

Step 1 - Firewall

Set up a firewall and only open port 22 with your IP (you can look it up using ip.me).

Step 2 - Installation

Perform the installation procedure as normal, setting very simple passwords and passphrases for the user accounts and the disk encryption. Set them to something like 123. These will be changed later!

I’m using Debian 13, the steps may or may not be the same for your choice of distribution.

Step 3 - SSH access

Unmount the ISO and reboot. Enter the console again, log in as root with your simple password. Now, if you have the same problem as me, keys like /, CTRL etc. won’t work, so I used tab completion and vi to to modify the config file.

# cd ../etc/ssh/
# vi sshd<TAB>

Inside vi, press o to create a new line and enter insert mode. Add:

PermitRootLogin yes
PasswordAuthentication yes

Press ESC and then <SHIFT>-yy (so holding shift and pressing y twice). This will save the file and exit vi.

Step 4 - Dropbear

ssh into your VPS. Now you have full keyboard access like usual. Install dropbear-initramfs, which is an SSH server that’s placed in the initial RAM filesystem so that you can ssh into your VPS during start up so you can easily enter your encryption passphrase.

Generate a new key pair and add the public key to /etc/dropbear/initramfs/authorized_keys

Run update-initramfs -u and reboot. You should now be able to ssh into your VPS using the key you just generated. The following command lets you unlock the encrypted disk:

cryptroot-unlock

This will probably disconnect you from the tunnel, simply re-establish the SSH tunnel again.

Step 5 - Changing passwords and passphrases

To change the encryption passphrase:

# cryptsetup luksAddKey /dev/sdXY
# cryptsetup luksRemoveKey

Lock the root user and change the password of your user (don’t forget to add the user to the sudo group!):

# passwd -l root
# passwd user

Done!

At this point you might want to use some other means to access the server, such as Netbird or Tailscale or Wireguard. Regardless of how you decide to access the server, you should revert the changes to sshd_config.

P.S.

I have no idea if this is a secure or good way to do this. Use at your own risk!

They might care if it’s 69420 since the max port number is 2^16 = 65536

You can fire packets as fast as you like, but if my end can’t process them that fast, either they’ll get dropped or you’ll knock me offline. Neither makes a valid scan.

I’m bored. That’s it. I’m watching the 100 girlfriends anime.

Recently my laptop shit the bed, but luckily I’d set up daily backups with restic! .. It’s been a year and I dug up the archives exactly once, to find some clippings I took from a documentary on badgers. Yeah maybe you should back things up and all but you’ll probably be fine either way.. 😅

My laptop shat the bed not long ago. I just pried my old drive out of it and stuck it in an enclosure 😅

Thats the drive where I back stuff up now lol

Hello Fediverse,

I would like to receive some feedback on this idea I have been kicking around, and see if others might be interested in contributing. I have a basic prototype that proves out most of the technology, but not much beyond that.

The basic general description is an Iroh based identity layer for the open web. This platform would serve three primary functions:

1. Preserve and consolidate social graph data in an encrypted local storage vault, allowing for import, display, and management of media and posts from both walled garden platforms and open platforms.
   
2. A “universal translator” across open platforms, allowing for seamless connection between activitypub, AT protocol, and rss subscriptions. You are able to link mastodon, Lemmy, pixelfed, loops, and blusky accounts and your legacy social media imports can also generate RSS subscription feeds for your previous Instagram or YouTube (among other platforms) subscriptions, with all this content showing up in a single filterable fleed.
3. Identities can be linked to any unique URL, using an umbrella DID. That URL can be any location the user chooses, including an indieweb page, a spacehey.com profile, or any other site the user controls and is able to host the corresponding DID document for cross platform identification.

There are many more details and features I have in mind that this architecture could facilitate, but this is the overarching basics of what I had in mind. I am very open to critique or analysis of this architecture, potential issues and limitations, as well as ideas for modification.

I would also welcome collaborators and contributors if there is interest, and I can open up the project for whoever may be interested. Let me know!

Forte and tootik use FEP-ef61 with server-managed keys. I am working on an application where keys are stored on the client side: minimitra. This is probably closer to your idea.

Do you want to use iroh for transport, or for identity?

Iroh was more of the p2p transport layer, but it is what facilitates the authentication through DID to the local vault. The work you linked is very relevant and will be definitely be of use!

In a blog post Richell notes that the New York version as far worse since it “explicitly forbids self-reporting and leaves the allowed methods to regulations written by the Attorney General” and so developers of operating systems and devices would have to have more than just your date of birth to put you into some age bracket like the California law seems to allow.

These types of laws seem to be popping up around the US. How long until this plague spreads to other countries?

It already did for a few years. Now countries seem to be formalizing it.

These types of laws seem to be popping up around the US. How long until this plague spreads to other countries?

There was a post on r/linux and OP said there were lobbyists for this bill, and Meta was one of them.

Feel free to have a look at

!movies@piefed.social
!television@piefed.social
!animation@piefed.social

Just Sinners. And, uh, Heathers. Not that different, really.

Watching the first season of Poirot because it was added to Netflix

Internet Protocol is the protocol underlying all Internet communications, what lets a packet of information get from one computer on the Internet to another.

Since the beginning of the Internet, Internet Protocol has permitted Computer A to send a packet of information to Computer B, regardless of whether Computer B wants that packet or not. Once Computer B receives the packet, it can decide to discard it or not.

The problem is that Computer B also only has so much bandwidth available to it, and if someone can acquire control over sufficient computers that can act as Computer A, then they can overwhelm Computer B’s bandwidth by having all of these computers send packets of data to Computer B; this is a distributed denial-of-service (DDoS) attack.

Any software running on a computer — a game, pretty much any sort of malware, whatever — normally has enough permission to send information to Computer B. In general, it hasn’t been terribly hard for people to acquire enough computers to perform such a DDoS attack.

There have been, in the past, various routes to try to mitigate this. If Computer B was on a home network or on a business’s local network, then they could ask their Internet service provider to stop sending traffic from a given address to them. This wasn’t ideal in that even some small Internet service providers could be overwhelmed, and trying to filter out good traffic from bad wasn’t necessarily a trivial task, especially for an ISP that didn’t really specialize in this sort of thing.

As far as I can tell, the current norm in 2026 for dealing with DDoSes is basically “use CloudFlare”.

CloudFlare is a large American Content Delivery Network (CDN) company — that is, it has servers in locations around the world that keep identical copies of data, and when a user of a website requests, say, an image for some website using the CDN, instead of the image being returned from a given single fixed server somewhere in the world, they use several tricks to arrange for that content to be provided from a server they control near the user. This sort of thing has generally helped to keep load on international datalinks low (e.g. a user in Australia doesn’t need to touch the submarine cables out of Australia if an Australian CloudFlare server already has the image on a website that they want to see) and to keep them more-responsive for users.

However, CDNs also have a certain level of privacy implications. Large ones can monitor a lot of Internet traffic, see traffic from a user spanning many websites, as so much traffic is routed through them. The original idea behind the Internet was that it would work by having many small organizations that talked to each other in a distributed fashion, rather than having one large company basically monitor and address traffic issues Internet-wide.

A CDN is also a position to cut off traffic from an abusive user relatively-close to the source. A request is routed to its server (relatively near the flooding machine), and so a CDN can choose to simply not forward it. CloudFlare has decided to specialize in this DDoS resistance service, and has become very popular. My understanding — I have not used CloudFlare myself — is that they also have a very low barrier to start using them, see it as a way to start small websites out and then later be a path-of-least-resistance to later provide commercial services to them.

Now, I have no technical issue with CloudFlare, and as far as I know, they’ve conducted themselves appropriately. They solve a real problem, which is not a trivial problem to solve, not as the Internet is structured in 2026.

But.

If DDoSes are a problem that pretty much everyone has to be concerned about and the answer simply becomes “use CloudFlare”, that’s routing an awful lot of Internet traffic through CloudFlare. That’s handing CloudFlare an awful lot of information about what’s happening on the Internet, and giving it a lot of leverage. Certainly the Internet’s creators did not envision the idea of there basically being an “Internet, Incorporated” that was responsible for dealing with these sort of administrative issues.

We could, theoretically, have an Internet that solves the DDoS problem without use of such centralized companies. It could be that a host on the Internet could have control over who sends it traffic to a much greater degree than it does today, have some mechanism to let Computer B say “I don’t want to get traffic from this Computer A for some period of time”, and have routers block this traffic as far back as possible.

This is not a trivial problem. For one, determining that a DDoS is underway and identifying which machines are problematic is something of a specialized task. Software would have to do that, be capable of doing that.

For another, currently there is little security at the Internet Protocol layer, where this sort of thing would need to happen. A host would need to have a way to identify itself as authoritative, responsible for the IP address in question. One doesn’t want some Computer C to blacklist traffic from Computer A to Computer B.

For another, many routers are relatively limited as computers. They are not equipped to maintain a terribly-large table of Computer A, Computer B pairs to blacklist.

However, if something like this does not happen, then my expectation is that we will continue to gradually drift down the path to having a large company controlling much of the traffic on the Internet, simply because we don’t have another great way to deal with a technical limitation inherent to Internet Protocol.

This has become somewhat-more important recently, because various parties who would like to train AIs have been running badly-written Web spiders to aggressively scrape website content for their training corpus, often trying to hide that they are a single party to avoid being blocked. This has acted in many cases as a de facto distributed denial of service attack on many websites, so we’ve had software like Anubis, whose mascot you may have seen on an increasing number of websites, be deployed, in an attempt to try to identify and block these:

https://lemmy.today/api/v3/image_proxy?url=https%3A%2F%2Fraw.githubusercontent.com%2FTecharoHQ%2Fanubis%2Frefs%2Fheads%2Fmain%2Fweb%2Fstatic%2Fimg%2Fhappy.webp

We’ve had some instances on the Threadiverse get overwhelmed and become almost unusable under load in recent months from such aggressive Web spiders trying to scrape content. A number of Threadiverse instances disabled their previously-public access and require users to get accounts to view content as a way of mitigating this. In many cases, blocking traffic at the instance is sufficient, because even though the my butt web spiders are aggressive, they aren’t sufficiently so to flood a website’s Internet connection if it simply doesn’t respond to them; something like CloudFlare or Internet Protocol-level support for mitigating DDoS attacks isn’t necessarily required. But it does bring the DDoS issue, something that has always been an issue for the Internet, back to prominent light again in a new way.

It would also solve some other problems. CloudFlare is appropriate for websites, but not all Internet activity is over HTTPS. DoS attacks have happened for a long time — IRC users with disputes (IRC traditionally exposing user IP addresses) would flood each other, for example, and it’d be nice to have a general solution to the problem that isn’t limited to HTTPS.

It could also potentially mitigate DoS attacks more-effectively than do CDNs, since it’d permit pushing a blacklist request further up the network than a CDN datacenter, up to an ISP level.

Thoughts?

1. Akamai is by a huge margin the single biggest CDN in the world, they are the 800lb gorilla. Fastly and Cloudflare aren’t minor players by any means, but their volume is not in the same league.
2. CDNs and DDOS don’t have much to do with each other. Cloudflare mitigates DDOS by scaling up network capacity and using pretty advanced pattern detection to simply soak up the traffic. Cloudflare is really, really good at scaling.

Now on that last point, there will indeed come a time when simply using the engineering technique of “making things bigger” won’t work if the attacks become sophisticated enough, but at that point networking will have fully become geopolitical tools (more than they are now).

A Layer-3 (network-layer) blacklist risks cutting off innocent CGNAT and cloud users. What you’re proposing is similar to mechanisms that already exist (e.g., access control lists at the ISP level work by asking computer B which requests it wants to reject and rejecting those that originate from computer A). However, implementing any large-scale blocking effort beyond the endpoint (i.e. telling an unrelated computer C to blackhole all requests from computer A to computer B) would be too computationally expensive for a use case as wide and as precise as “every computer on the Internet”.

Also, in your post you mentioned, “A host would need to have a way to identify itself as authoritative, responsible for the IP address in question.” This already happens in the form of BGP though it doesn’t provide cryptographic proof of ownership unless additional mechanisms are in use (RPKI/ROA).

Have you been rocking an old classic? Discovering something new? Revisiting some nostalgic bands from the past?

If you’ve got links, post ‘em up!

A fun tool for discovering new bands: https://www.music-map.com/

A friend of mine sent me some of his his recent find, Seb Lowe. A bit on the nose for me, but catchy.

https://youtu.be/jmjLNDobZqM

https://youtu.be/PuBbt10Atzo

https://youtu.be/Rt5qLFFcu6o

Been listening to early In Flames, before they turned alt metal.

While I couldn’t possibly choose between Clayman (2000) and Colony (1999) for a prolonged period of time, these 2 albums have really shaped my music tastes.

As for the past week, I can’t stop listening to Colony. It’s just too good. If you want a sample, the most well-known song is Zombie Inc. Failing that, I really recommend Colony (the track).

21916

@anthony@forum.unfinishedprojects.net did a like from an Mbin instance. 13 likes on my side.

• Piefed chat
  
• Fediverse wiki
  
• Guide and tutorial
  

!communitypromo@lemmy.ca • !newcommunities@lemmy.world • !fedigrow@lemmy.zip • !newtolemmy@lemmy.ca

Hi !

Welcome to our monthly thread ! I hope you are well :)

Here we will talk about feature, ui, concept accross the web and app as :
- voting for a new mods team
- nomadic identity
- collaborative writting with color
- a beautiful ui, Swiping gesture…
- accessibility idea…
- a personal project ?

Well, i hope we will find something fun to discuss and share. :)

Btw, about being easily accessible, fedia.io and friendica.social both are private instances, and for a time thebrainbin.org was too, but neither entered a whitelist-type of defederation and so communities and users from all 3 could still be followed from elsewhere. In a similar sense, misskey.io only accepts registrations over non-proxy/VPN Japanese IPs, and feddit.it only accepts registrations if the user can speak Italian and knows of Italian news, and yet both can be followed externally just fine.

The two concepts I appreciate most are:

• Slashdot-Style Nuanced Voting
  
• Discourse Trust Level Systems

I browse different lemmy instances usually because the feed is always different. Was blown away when I recently went to lemmy.today, no clue when they did the change but whoever is in charge of the design has my admiration! *(chef’s kiss)*

@UniversalMonk@anarchist.nexus @universalmonk@piefed.social Wanna give people the actual you instead of people misremembering what you said and did?

@UniversalMonk@lemmy.dbzer0.com Wanna give people the actual you instead of people misremembering what you said and did? Up in the thread.