There are many ways to harden against it, but “just disable root auth” is not really it, since it in itself does not add much.

No you can alias that command and hijack the password promt via bashrc and then you have the root password as soon as the user enters it.

With aliases in the bashrc you can hijack any command and execute instead of the command any arbitrary commands. So the command can be extracted, as already stated above, this is not a weakness of sudo but a general one.

And how would you not be able to hijack the password when you have control over the user session?

And what do you suggest to use otherwise to maintain a server? I am not aware of a solution that would help here? As an attacker you could easily alias any command or even start a modified shell that logs ever keystroke and simulates the default bash/zsh or whatever.

The scenario OC stated is that if the attacker has access to the user on the server then the attacker would still need the sudo password in order to get root privileges, contrary to direct root login where the attack has direct access to root privileges.

So, now i am looking into this scenario where the attack is on the server with the user privileges: the attacker now modifies for example the bashrc to alias sudo to extract the password once the user runs sudo.

So the sudo password does not have any meaningful protection, other then maybe adding a time variable which is when the user accesses the server and runs sudo

The attacker that is currently with user privileges on the server?

Most comments here suggest 3 things

1. least privilege: Which is ok, but on a Server any modification you do requires root anyway, there is usually very little benefit
2. Additional protection through required sudo password: This is for example easily circumvented by modifying the bashrc or similar with an sudo alias to get the password
3. Multiuser & audittrails: yes this is a valid point, on a system that is modified or administered by multiple ppl there are various reasons lime access logging and UAC for that

An actual person from the pen testing world: https://youtu.be/fKuqYQdqRIs

The sudo password can be easily extracted by modifying the bashrc.

Nope, not really. The only reason ppl recommend it is, because “you have then to guess the username too”. Which is just not relevant if you use strong authentication method like keys or only strong passwords.

Why would you need Tailscale for syncthing?

I don’t use browser extensions and I manually copy/paste my passwords to fill in entries.

On most systems copy pasting is heavily insecure since a lot of processes have access to the clipboard. autotype and thinga like browser extensions are considered more secure.

Either you are heavily misinformed about how difficult arch is, or you lack any confidence in your ‘Linux skill’.

Choose the system you want to achieve, follow the wiki and choose the software you want to use using it and you are good to go, it really is not that hard. You can always use archinstall.

But the fragmentation on SSDs does not really matter, does it? Yes you need to keep track of all the fragments but this is not really a problem as far as i am aware. To my knowledge, increasing latency on bigger storage is a problem that faces all storage technologies we hqve atm.

You do not even need a port based firewall when the server is open on the internet.

When you configure the software to not have unnecessary open ports over the internet connected interface then a port based firewall is providing zero additional security.

A port based firewall has the benefit that you can lock everything down to the few ports you actually need, and do not have to worry about misconfigured software.

For example, something like docker circumvents ufw anyway. And i know ppl that had open ports even tho they had ufw running.

Clickbait (also known as link bait or linkbait) is a text or a thumbnail link that is designed to attract attention and to entice users to follow (“click”) that link and view, read, stream or listen to the linked piece of online content, being typically deceptive, sensationalized, or otherwise misleading.

https://en.wikipedia.org/wiki/Clickbait

Title is not really deceptive or misleading.

That is not really covering the topic for everyone, this only covers the article for ppl who are paying already for the pass.

Not seeing how this is clickbait. The title sums it up on point.

At the same time crowdsec heavily benefits of the big free userbase since they ‘crowdsource’ their thread detection.

Just a simple hole renders them useless. The only method to reconstruct them from there would be any kind of SEM or AFM which would still take weeks to months to years depending on the size/density of the drives.

Even just opening them up and smacking the disks would be sufficient

Next time just encrypt them.

Just because there is no update does not mean there are security vulnerabilities to worry about, or do you have a specific one that is not fixed?

The attack vector seems very narrow to me. It checks the container registry downloads the containers and runs some docker commands.

It has no interface, so in order to attack it you either have to compromise the container registry (but then it would be easier to compromise the containers you download) the secure connection used to download the containers (https is quite stable) or something on the server side.

Also the project does not really look that abundant to me.

EDIT: So i have not checked this, but watchtower is probably using docker for most steps anyway? So basically the only thing that could be attacked is via the notifications watchtower is sending?