When internal hostnames are leaked to the clown

Posted by zdw 2 days ago

When internal hostnames are leaked to the clown(rachelbythebay.com)

442 points | 250 comments

notsylver 2 days ago|

I think people are misunderstanding. This isn't CT logs, its a wildcard certificate so it wouldn't leak the "nas" part. It's sentry catching client-side traces and calling home with them, and then picking out the hostname from the request that sent them (ie, "nas.nothing-special.whatever.example.com") and trying to poll it for whatever reason, which is going to a separate server that is catching the wildcard domain and being rejected.

spondyl 1 day ago||

My first thought was perhaps they're trying to fetch a favicon for rendering against the traces in the UI?

n0w 1 day ago||

They're likely trying to retrieve source maps

hsbauauvhabzb 1 day ago|||

Sounds like a great way to get sentry to fire off arbitrary requests to IPs you don’t own.

sure hope nobody does that targeting ips (like that blacklist in masscan) that will auto report you to your isp/ans/whatever for your abusive traffic. Repeatedly.

leoc 1 day ago||

Obligatory Bruce Scneier: https://www.schneier.com/blog/archives/2008/03/the_security_...

ralferoo 1 day ago|||

Hehe, just reading that.

> The poster described how she was able to retrieve her car after service just by giving the attendant her last name. Now any normal car owner would be happy about how easy it was to get her car back, but someone with a security mindset immediately thinks: “Can I really get a car just by knowing the last name of someone whose car is being serviced?”

Just a couple of hours ago, I picked my car up from having its obligatory annual vehicle check. I walked past it and went into their office, saying "I'm here to pick up my car". "Which one is it?" "The Golf" "Oh, the $MODEL?" (it was the only Golf in their car park) "Yeah". And then after payment of £30, the keys were handed over without checking of anything, not even a confirmation of my surname. This was a different guy to the one who was in there an hour earlier when I dropped the car off.

duxup 1 day ago|||

I feel like that car security situation also is sort of setup to tell us about how folks with a security mindset can go overboard?

Some car dealership who never had a car stolen hires a consultant and they identify this pickup situation as a problem. Then they implement some wild security and now customers who just dropped off their car, just talked to the same customer service person about the weather ... have to go through some extra security to impersonally prove who they are, because someone imagined a problem that has never occurred (or nearly never). But here we go doing the security dance because someone imagined a problem that really has nothing to do with how people actually steal cars...

Computers and the internet are different of course, the volume of possibilities / bad actors you could be exposed to are seemingly endless. Yet even there security mindset can go overboard.

I'm currently trying to recover/move some developer accounts for some services because we had someone leave the company less than gracefully. Often I have my own account, it's part of an organization ... but moving ownership is an arduous and bizarrely different process for each company. I get it, you wouldn't want someone to take over our no name organization, but the process all seem to involve extra steps piled on "for security". The fact that I'm already a customer, have an account in good standing, part of the organization, the organization account holder has been inactive ... doesn't seem to matter at all, I may as well be a stranger from the outside, presumably because of "security".

ryandrake 1 day ago|||

It certainly feels that way here in 2026. It seems like I'm spending so much time "verifying" and "authenticating" and clicking somewhere so that the service can send me a code in E-mail. And more and more services are getting super aggressive. Biometrics, 2FA, uploading government ID, uploading face scans... Good grief!

I can imagine being in info-sec is a rough life. When you get breached, they're blamed. So they spend all their time red-teaming and coming up with outlandish ways that their systems can be compromised, and equally outlandish hoops for users to jump through just to use their product. So the product gets all these hoops. And then an attacker gets even more creative, breaches you again, and now your product has horrible UX + you're still getting breached.

xp84 1 day ago|||

The way so-called ‘2fa’ has been implemented on 90% of the things I interact with as a consumer is an absolute farce. Control of a SIM is nearly 100% of the time sufficient to get absolute control of any account, and showing a $50 fake ID to a teenager at a cell phone store has probably a 99% success rate. Only sites for nerds, plus Google and Microsoft, support TOTP or passkeys. Everywhere else uses the sms BS for 2fa or often effectively 1fa if it can be used to reset the first factor. And these same idiots lecture you for your 100-character password for not containing “at least one of these SIX “special characters”, an upper, a lower, and a digit. `Password1!` is a suitable password to these systems.

icedchai 5 hours ago||

Don't forget about password reset policies. At one place with a dedicated "security theater" team, I have to change my password every 90 days, so I just add the year and month to a base password. Password!2602 it is!

tracker1 1 day ago|||

On the flip side... I can't tell you how many times I've had to explain how public/private key crypto works do developers and IT security staff working in government projects. And this is just for one-way trust of JWTs for SSO integrations.

I mean, I don't mind if the same dev public-keys are used nearly everywhere in internal dev and testing environments... but JFC, don't deploy them to client infrastructure for our apps.

FWIW, aside... for about the last decade, I generally separate auth from the application I'm working with, relying on a limited set of established roles and RSA signed JWTs, allowing for the configuration of one or more issuers. This allows for a "devauth" that you can run locally for a whoever you want usage. While more easily integrating into other SSO systems and bridges with other auth services/systems in differing production environments. Even with firm SSO/Ouath, etc services, it's still the gist of configuration.

RcouF1uZ4gsC 1 day ago|||

And then some person realizes that government ids can be faked, so they set up a system of doing a retinal scan of the person dropping off the car and then comparing it to the retinal scan of the person picking it up.

Then they realize that one person may be bribed so they require at least two people to verify at pickup and drop off.

Meanwhile, a car has never ever been stolen this way.

tracker1 1 day ago|||

And when I need my wife to pickup my car for me because I took hers to work and she's taking an Uber to get my car...?

Definitely over the top issue.

duxup 1 day ago|||

Yup, it's taking me probably 10x longer gathering legitimate documents to send to these companies.

Meanwhile I could fake them all in a fairly short amount of time...

Spooky23 1 day ago||||

It’s a risk/reward scenario, and an example of security minded people chasing ghosts.

The likelihood of conmen stealing VW Golfs from repair shops is a really low risk/high impact event. So they could demand your passport and piss you off or have you leave a happy customer.

In the remote chance the con artist strikes, it’s a general liability covered by insurance.

Nextgrid 1 day ago||||

The difference is that car theft is still prosecuted by police, where as cybercrime is not (unless you embarrass a huge corporation).

So the garage can have lower security because even potential thieves do a risk/reward calculation and the vast majority choose not to proceed with it.

Online, the risk/reward calculation is different (what risk?), so more people will be tempted to try (even for the lolz - not every act of cybercrime is done for monetary purposes).

direwolf20 1 day ago||||

Besides thinking about how to steal a car, we can think about how the dealership stops you stealing a car. Your face is plastered all over several cameras, and they know the license plate.

RajT88 1 day ago||||

The fact that so many things in the world work like this is the reason for the continued appeal of heist movies. Those always contain clever bits of social engineering and confidence scams which move the plot along - and they are as believable today as they always were.

Wowfunhappy 1 day ago|||

Aren't there easier ways to steal cars? Like, go to an open parking lot, pick the lock, and start the car by connecting the right wires.

It's risky, sure. But the garage situation also seems risky.

MisterTea 1 day ago|||

It's even easier than that. A lot of older ignition locks could be defeated by a screwdriver so you just smash the window, jimmy the ignition lock with the screw driver and off you go! There was a specific model of jeep that was stolen a lot because the rear lock could be popped out easily with pliers, a matching key made, and you return later with the key to steal the car.

jamesfinlayson 1 day ago||||

> start the car by connecting the right wires

I might be misinformed but I've been told that for a while now (maybe 20 years or so), new cars have been built to be exceptionally difficult to hot-wire.

A South African friend told me that some brand of four wheel drive could be hot-wired but it involved getting behind one of the front head-lamp bulbs - doable, but a damaging process if you're in a rush.

koverstreet 1 day ago||||

You'd have to be stupid and desperate to steal from a garage.

The people who work there aren't office workers; you've got blue collar workers who spend all day working together and hanging out using heavy equipment right in the back. And they're going to be well acquainted with the local tow truck drivers and the local police - so unless you're somewhere like Detroit, you better be on your way across state lines the moment you're out of there. And you're not conning a typical corporate drone who sees 100 faces a day; they'll be able to give a good description.

And then what? You're either stuck filing off VINs and faking a bunch of paperwork, or you have to sell it to a chop shop. The only way it'd plausibly have a decent enough payoff is if you're scouting for unique vehicles with some value (say, a mint condition 3000GT), but that's an even worse proposition for social engineering - people working in a garage are car guys, when someone brings in a cool vehicle everyone's talking about it and the guy who brought it in. Good luck with that :)

Dealership? Even worse proposition, they're actual targets so they know how to track down missing vehicles.

If you really want to steal a car via social engineering, hit a car rental place, give them fake documentation, then drive to a different state to unload it - you still have to fake all the paperwork, and strip anything that identifies it as a rental, and you won't be able to sell to anyone reputable so it'll be a slow process, and you'll need to disguise your appearance differently both times so descriptions don't match later. IOW - if you're doing it right so it has a chance in hell of working, that office job starts to sound a whole lot less tedious.

Way easier to just write code :)

SR2Z 1 day ago||

Stolen cars are often sold for low amounts of money - like $50 - and then used to commit crimes that are not traceable from their plates. It hasn't really been possible to steal and resell a car in the United States for many years, barring a few carefully watched loopholes (Vermont out-of-state registrations is one example that was recently closed).

When Kia and Hyundai were recently selling models without real keys or ignition interlocks, that was the main thing folks did when they stole them.

foldor 1 day ago|||

In Canada there's been a big problem with stolen cars lately. Mostly trucks, and other high value vehicles though. Selling them locally isn't feasible, but there's a criminal organization that's gotten very good at getting them on container ships and out to countries that don't care if the vehicles are stolen. So even with tracking, there's nothing people can do. Stopping it at the port is the obvious fix, but somehow that's not what is being done. Probably bribery to look the other way.

jamesfinlayson 1 day ago||

Same thing in Australia - some gang was busted recently for stealing mid-range four wheel drives, packing them in shipping containers with partially dismantled cars (I guess so that a cursory inspection would just show "car parts" rather than a single nice looking car) and then shipping them around the world (I guess an overseas buyer isn't checking if a car with this VIN has been stolen on the other side of the world).

koverstreet 1 day ago|||

Yeah, the only way to do it would be a cash transaction where you'd have to forge a legitimate looking title/registration and pass it off to a naive buyer. So it's still technically possible, but not in any kind of remotely scalable way.

b00ty4breakfast 1 day ago|||

I reckon it is infinitely riskier to be caught attempting to break into a car than it is to just walk in to a service garage and pretending you own the Vdub in the parking lot. There is still a bit of deniability in the 2nd option but good luck explaining to the police why you are using a set of tools specifically for picking vehicle locks (because you can't just use regular pick and tension wrenches) to break into a vehicle that you don't own.

fc417fc802 1 day ago|||

Good read, but:

> This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves ...

I have to disagree in the strongest terms. It doesn't matter what it is, the only way to do a good job designing something is to imagine the ways in which things could go wrong. You have to poke holes in your own design and then fix them rather than leaving it to the real world to tear your project to shreds after the fact.

The same thing applies to science. Any even half decent scientist is constantly attempting to tear his own theories apart.

I think Schneier is correct about that sort of thinking not being natural for your typical person. But it _is_ natural (or rather a prerequisite) for truly competent engineers and scientists.

dh2022 1 day ago||||

I agree. A good engineer would think about all possible corner cases (). Security is another set of corner cases.

() Just yesterday I had to correct a PR because the engineer did not think of some corner cases. All sorts of corner cases happen in real life.

bratwurst3000 1 day ago||||

hmmm I am 50% with you. Imho to be an amazing engineer is to see a problem and find a good(whatever good means) solution. Beeing a good scientist is asking precise questions and finding experiments validating them.

I think its more the nuanced difference between safety and security. Engineers build things so they run safe. For example building a roof that doesnt collapse is a safe roof. Is the roof secure? Maybe I can put thermites in the wood...

this is the difference. Safety is no harm done from the thing itself Engineers build and security is securing the thing from harm from outside.

fc417fc802 1 day ago|||

That is true, but security is similarly subject to the need to constrain threat models to those that are relevant. The scientist doesn't need to worry about mass production, the engineer (in most cases) doesn't need to worry about someone taking a chain saw to it.

Security will have a wider scope by default (unlike natural phenomena, attacks are motivated and can get pretty creative after all) but there will still be some boundary outside of which "not my problem" applies. Regardless, it's the same fundamental thought pattern in use. Repeatedly asking "what did I overlook, what unintended assumptions did I make, how could this break".

That said, admittedly by the time you make it to the scale of Google or Microsoft and are seriously considering intelligence agencies as adversaries the sky is the limit. But then the same sort of "every last detail is always your problem" mentality also applies to the engineers and software developers building things that go to space (for example).

klaff 1 day ago|||

Now I'm scared at the idea of termites with thermite!

atroon 1 day ago|||

It wasn't typical in 2008, I think, is the upshot.

doctorpangloss 1 day ago||

people are misunderstanding because the blog post is really confusing and poorly written haha

b1temy 1 day ago||

Is "clown GCP Host" a technical term I am unaware of, or is the author just voicing their discontent?

Seems to me that the problem is the NAS's web interface using sentry for logging/monitoring, and part of what was logged were internal hostnames (which might be named in a way that has sensitive info, e.g, the corp-and-other-corp-merger example they gave. So it wouldn't matter that it's inaccessible in a private network, the name itself is sensitive information.).

In that case, I would personally replace the operating system of the NAS with one that is free/open source that I trust and does not phone home. I suppose some form of adblocking ala PiHole or some other DNS configuration that blocks sentry calls would work too, but I would just go with using an operating system I trust.

jraph 1 day ago||

> Is "clown GCP Host" a technical term I am unaware of, or is the author just voicing their discontent?

Clown is Rachel's word for (Big Tech's) cloud.

dehrmann 1 day ago|||

She was (or is) at Facebook, and "clowntown" and "clowny" are words you see there.

jraph 1 day ago|||

> She was (or is) at Facebook

was (and she worked at Google too)

> "clowntown" and "clowny" are words you see there.

Didn't know this, interesting!

mintplant 1 day ago||||

"Clownshoes" is common as an adjective at Mozilla.

zombot 1 day ago||||

[flagged]

ChrisMarshallNY 1 day ago||

No that's Von Clownstick. I won't link to the video, where Jon Stewart made it up, as that would probably be a bit much, for here.

zombot 22 hours ago||

Thank you, you made my day.

iwontberude 1 day ago|||

[flagged]

Anon1096 1 day ago|||

No it's because lots of stuff is duct taped together and then you have tons of scripts or tooling that was someone's weekend project (to make their oncall burden easier) that they shared around. Usually there'll be a flag like --clowntown or --clowny-xyz when it's obvious to all parties involved that it's destined to destroy everything one day but YOLO (also a common one).

robby_w_g 1 day ago||

Maybe the AI hype is a misdirect so we will blame LLMs for future tech failures instead of the engineers who built up these services

dang 1 day ago|||

Could you please stop posting unsubstantive comments and flamebait? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.

You may not owe clown-resemblers better, but you owe this community better if you're participating in it.

We ban accounts that keep posting in this sort of pattern, as yours has, so if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.

iwontberude 1 day ago|||

As long as you and I both agree on the truth, I am willing to go along with your moderation. I can cut down on some of the editorial remarks, but everyone on this site engages in some level of unsubstantiated commentary and I really would appreciate knowing what % of posts can be unsubstantiated opinion before it becomes a significant pattern.

hk1337 1 day ago||||

So, it's basically like Cloud2Butt but with a different word.

baxtr 1 day ago||||

Anyone know how she come up with the word or why she chose it?

rwmj 1 day ago|||

Maybe from JWZ? https://cdn.jwz.org/images/2016/clown-computing.png

yborg 1 day ago|||

Huh. How did you link to jwz without getting THAT image?

jraph 1 day ago||

It's another domain, jwz probably didn't set up that redirection on this one.

kadoban 1 day ago||||

Probably just because it looks/sounds a little like cloud and has the connotations she wants.

It feels pretty hacker jargon-ish, it has some "hysterical raisins" type wordplay vibes.

oniony 1 day ago||||

Maybe she's a juggalo.

senectus1 1 day ago|||

amusingly its a term used by my co-workers to describe anyone thats not them.

jraph 1 day ago|||

Oh well... I suppose humility is your coworker's defining quality? :-)

senectus1 1 day ago||

oh the answer to this is definitive. :-P

JackFr 1 day ago||||

"What clown wrote this ... [ runs git blame ] ...erm...never mind."

jrflowers 1 day ago||||

Your coworkers call you a clown?

senectus1 1 day ago||

I didnt call them workmates.

jrflowers 1 day ago||

Hire somebody to make balloon animals in the office for a couple hours, pay in cash, tell the balloonist that your name is [coworker’s name]

NoGravitas 1 day ago|||

“When you became Denise, I told all of your colleagues, those clown comics, to fix their hearts or die.”

1vuio0pswjnm7 1 day ago|||

I remember the term "clown computing" to describe "cloud computing" from IRC earlier than 2016

I use a localhost TLS forward proxy for all TCP and HTTP over the LAN

There is no access to remote DNS, only local DNS. I use stored DNS data periodically gathered in bulk from various sources. As such, HTTP and other traffic over TCP that use hostnames cannot reach hosts on the internet unless I allow it in local DNS or the proxy config

For me, "WebPKI" has proven useful for blocking attempts to phone home. Attempts to phone home that try to use TLS will fail

I also like adding CSP response header that effectively blocks certain Javascript

It sounds like the blog author gave the NAS direct access to the internet

Every user is different, not everyone has the same preferences

1vuio0pswjnm7 1 day ago|||

Or the author gave a browser direct access to the internet

For example, I have seen a freshly installed Firefox Nightly try to connect to sentry.io on startup

For me, these attempts never succeed

1vuio0pswjnm7 15 hours ago||||

"snowgoose"

simoncion 1 day ago|||

> It sounds like the blog author gave the NAS direct access to the internet

FTFA:

  Every time you load up the NAS [in your browser], you get some clown GCP host knocking on your door, presenting a SNI hostname of that thing you buried deep inside your infrastructure. Hope you didn't name it anything sensitive, like "mycorp-and-othercorp-planned-merger-storage", or something.
  
  Around this time, you realize that the web interface for this thing has some stuff that phones home, and part of what it does is to send stack traces back to sentry.io. Yep, your browser is calling back to them, and it's telling them the hostname you use for your internal storage box. Then for some reason, they're making a TLS connection back to it, but they don't ever request anything. Curious, right?
  
  This is when you fire up Little Snitch, block the whole domain for any app on the machine, and go on with life.

I disagree with your conclusion. The post speaks specifically about interactions with the NAS through a browser being the source of the problem and the use of an OSX application firewall program called Little Snitch to resolve the problem. [0] The author's ~fifteen years of posts demonstrate that she is a significantly accomplished and knowledgeable system administrator who has configured and debugged much trickier things than what's described in the article.

It's not impossible that the source of the problem has been misidentified... but it's extremely unlikely. Having said that, one thing I do find likely is that the NAS in question is isolated from the Internet; that's just a smart thing that a savvy sysadmin would do.

[0] I find it... unlikely that the NAS in question is running OSX, so Little Snitch is almost certainly running on a client PC, rather than the NAS.

rausr 1 day ago|||

> Is "clown GCP Host" a technical term I am unaware of, or is the author just voicing their discontent?

The term has been in use for quite some time; It is voicing sarcastic discontent with the hyperscaler platforms _and_ their users (the idea being that the platform is "someone else's computer" or - more up to date - "a landlord for your data"). I'm not sure if she coined it, but if she did then good on her!

Not everyone believes using "the cloud" is a good idea, and for those of us who have run their own infrastructure "on-premises" or co-located, the clown is considered suitably patronising. Just saying ;)

b1temy 1 day ago||

> the idea being that the platform is "someone else's computer"

I have a vague memory of once having a userscript or browser extension that replaced every instance of the word "cloud" with "other peoples' computers". (iirc while funny, it was not practical, and I removed it).

fwiw I agree and I do not believe using "the cloud" for everything is a good idea either, I've just never heard of the word "clown" being used in this way before now.

masto 1 day ago||

“Cloud to butt” was popular in the early cloud days. It went around Google internally, and caused some… interesting issues.

ryandrake 1 day ago||

I remember ridiculing "cloud computing" by calling it "clown computing" decades ago. It's pretty old and well established snark-jargon, like spelling Micro$oft with a dollar sign.

seethishat 1 day ago|||

Also, sometimes, we use the term 'weenie' rather than 'clown'. They are interchangeable.

user_of_the_wek 1 day ago|||

The circus left town, but the clowns are still here.

wlonkly 1 day ago||

But whose monkeys are these?

m463 1 day ago||

with clown=cloud, GCP must mean google clown platform

andix 1 day ago||

Hostnames are not private information. There are too many ways how they get leaked to the outside world.

It can be useful to hide a private service behind a URL that isn't easy to guess (less attack surfaces, because a lot of attackers can't find the service). But it needs to be inside the URL path, not the hostname.

  bad: my-hidden-fileservice-007-abc123.example.com/
  good: fileservice.example.com/my-hidden-service-007-abc123/

In the first example the name is leaked with DNS queries, TLS certificates and many other possibilities. In the second example the secret path is only transmitted via HTTPS and doesn't leak as easy.

amichal 1 day ago||

Marginally better for sure but in this case the path would also have been "leaked" to the sentry instance owned by developers of the the NAS device phoning home. This can happen in zillions of ways and is a good reason to use relatively opaque urls in generally and not "friendly ids" and generally being careful abou putting secrets in URLs.

andix 1 day ago||

Just try it. The first example gets attacked by bots nearly immediately after issuing a TLS cert. The second one usually doesn't get detected at all.

Kwpolska 1 day ago||

What if you have a wildcard cert for *.example.com?

andix 1 day ago|||

Much better. But you still leave traces from dns queries.

Subfinder has a lot of sources to find subdomains, not only certs: https://github.com/projectdiscovery/subfinder

jamesfinlayson 1 day ago|||

I worked at a company where the security team disliked wildcard certificates because it exposed us to the risk of someone, somehow, hosting something malicious on a subdomain.

Wowfunhappy 1 day ago||

Curious, does this still apply if http is used exclusively?

contravariant 1 day ago||

Well no, in that case all traffic is exposed anyway.

Wowfunhappy 1 day ago||

I meant will people be able to find that the hostname exists.

direwolf20 1 day ago||

Who's your DNS set to (on both ends)? They're probably selling logs.

yabones 1 day ago||

Stuff like this is why I consider uBlock Origin to be the bare minimum security software for going on the web. The amount of 3rd party scripts running on most pages, constantly leaking data to everybody listening, is just mind boggling.

It's treating a symptom rather than a disease, but what else can we do?

behringer 1 day ago|

I also have taken to using adguard home on the router. It blocks 15 or 20 percent of all my traffic. It's quite scary how bad the tracking and other nasties has become.

mike-cardwell 1 day ago||

Only way I can think of protecting against this is to put a reverse proxy in front of it, like Nginx, and inject CSP headers to prevent cross site requests. Wouldn't block the NAS server side from making external calls, but would prevent your browser doing it for them as is the case here. Also would prevent stuff like Google Analytics if they have it. If you set up a proxy, you could also give it a local hostname like nas.local or something with a cert signed by your private CA that Nginx knows about, and then point the real hostname at Nginx, which has the wildcard cert.

Bit of a pain to set this all up though. I run a number of services on my home network and I always stick Nginx in front with a restrictive CSP policy, and then open that policy up as needed. For example, I'm running Home Assistant, and I have the Steam plugin, which I assume is responsible for requests from my browser like for: https://avatars.steamstatic.com/HASH_medium.jpg, which are being blocked by my injected CSP policy

P.S. I might decide to let that steam request through so I can see avatars in the UI. I also inject "Referrer-Policy: no-referrer", so if I do decide to do that, at least they wont see my HA hostname in there logs by default.

RamRodification 1 day ago||

ATM machine

dd_xplore 1 day ago||

NPM is pretty painless

atmosx 1 day ago||

I bought a SynologyNAS and I have regretted already 3-4 times. Apart from the software made available from the community, there is very little one can do with this thing.

Using LE to apply SSL to services? Complicated. Non standard paths, custom distro, everything hidden (you can’t figure out where to place the ssl cert of how to restart the service, etc). Of course you will figure it out if you spent 50 hours… but why?

Don’t get me started with the old rsync version, lack of midnight commander and/or other utils.

I should have gone with something that runs proper Linux or BSD.

joshstrange 1 day ago||

Unless you know what you are walking into ahead of time I would not recommend Synology to someone who wants to host a bunch of stuff and also wants a NAS. I don’t touch any of the container/apps stuff on my Synology(s), they are simply file servers for my application server. For this purpose, I find Synology rock solid and I’ve been very happy with them.

That said, I’ll probably try out the UniFi NAS offerings in the near future. I believe Synology has semi-walked-back its draconian hard drive policy but I don’t trust them to not try that again later. And because I only use my Synology as a NAS I can switch to something else relatively easily, as long as I can mount it on my app server, I’m golden.

PunchyHamster 1 day ago|||

You wanted a server and complain NAS is not just a server.

Gud 1 day ago|||

More like, user wanted an open operating system but chose a proprietary one.

atmosx 1 day ago|||

NAS is the primary function. But yes, I want full linux server that I can decide what to install and which protocol to use to upload and/or download files.

criddell 1 day ago|||

Why not just leave the NAS to be a NAS and get a separate server? You're probably better off not trying to overload the NAS to be everything.

Hikikomori 1 day ago|||

Why do I want two things when I can have one? Newer nases with n100 or similar are pretty powerful for the cost/package.

ssl-3 1 day ago|||

Can you provide some details about this overloading concept?

lurking_swe 1 day ago|||

is there a reason you didn’t consider one of the uGreen NAS’s?

tetris11 1 day ago|||

(Copied from an earlier comment of mine)

There are guides on how to mainline Synology NAS's to run up-to-date debian on them: https://forum.doozan.com/list.php

tgpc 1 day ago|||

please don't do this to your synology

leave it to serve files and iscsi. it's very good at it

if you leave it alone, no extra software, it will basically be completely stable. it's really impressive

aetherspawn 1 day ago||

Second this, just use it for files, it’s great for it. 10+ years uptime if you leave it alone.

reddalo 1 day ago|||

I'm so happy I didn't buy a NAS, Synology or not. I think a proper computer running Linux gives me so much more flexibility.

butvacuum 1 day ago||

that's still a NAS.

alexalx666 1 day ago|||

I bought Synology RS217 for $100 last year and it's the best tech purchase I made in years. The software it comes with is the best web interface I experienced in years. The simplicity, stability and attention to detail reminds me of old macs. I have macmini as application server and did not expect to use Synology for anything but file storage / replication. However it comes with a great torrent client that I use all the time now. We also use Synology Office instead of google docs now. It exceeded all my expectations and when it dies, I will immediately buy one of the new rack stations they offer.

paffdragon 1 day ago|||

You can run a container on Synology and install your custom services, tools there. At least that is what I do. For custom kernel modules you still need a Synology package for something like Wireguard.

If you have OPNSense, it has an ACME plugin with Synology action. I use that to automatically renew and push a cert to the NAS.

That said, since I like to tinker, Synology feels a bit restricted, indeed. Although there is some value in a stable core system (like these immutable distros from Fedora Atomic).

Arrowmaster 1 day ago||

The extremely old kernel on Synology makes it hard or impossible to run some containers.

paffdragon 1 day ago||

I have a fairly recent DS920+ and never had issues with containers - I have probably 10+ containers on it - grafana, victoriametrics/logs, jellyfin, immich with ML, my custom ubuntu toolboxes for net, media, ffmpeg builds, gluetun for vpn, homeassistant, wallabag,...

Edit: I just checked Grafana and cadvisor reports 23 containers.

Edit2: 4.4.302+ (2022) is my kernel version, there might be specific tools that require more recent kernels, of course, but I was so far lucky enough to not run into those.

Arrowmaster 23 hours ago||

While gluetun works great, there are other implementations of wireguard that fail without the kernel modules. I've also ran into issues from containers wanting the kernel modules for iptables-nft but Synology only has legacy iptables.

paffdragon 14 hours ago||

I belive even for gluetun I had to add the WG kernel module. I think I used this to compile it for myself https://github.com/runfalk/synology-wireguard

I know there are userspace implementations, but can't remember the specifics rn and don't have my notes with me.

> kernel modules for iptables-nft

I think you meant nftables. The iptables-nft package is meant to provide iptables interface for nftables for code that still expects that, afaik. I didn't run into that issue yet (knock-knock). According to docs nftables is available since kernel 3.13, so in theory it might be possible to build the modules for Synology.

However, I don't think I will be buying another Synology in the future, mainly because of other issues like they restricting what RAM I can use or what I want to use the M2 slots for, or their recent experiment with trying to push their own drives only, etc. I might give TrueNAS a try if I am not bored enough to just build one on top of a general purpose OS...

Arrowmaster 10 hours ago||

I had to look it up and I think it was a mix of user error and a bad container. At one point I had been trying to use the nicolaka/netshoot container as a sidecar to troubleshoot iptables on another container and it is/was(?) missing the iptables-legacy package and unable to interact with the first containers iptables.

As great as containerization is, having the right kernel modules available goes a long way and I probably wouldn't have run into trouble like that if the first container hadn't fallen back to iptables because nftables was unavailable.

All of these NAS OSs that include docker work great for the most popular containers, but once you get into the more complex ones strange quirks start poping up.

tbyehl 1 day ago||

> Using LE to apply SSL to services? Complicated.

https://github.com/JessThrysoee/synology-letsencrypt

> there is very little one can do with this thing.

It has a VMM and Docker. Entware / opkg exist for it. There's very little that can't be done, but expecting to use an appliance that happens to be Linux-based as a generic Linux server is going to lead to challenges. Be it Synology, TrueNAS, or anything else.

1vuio0pswjnm7 13 hours ago||

These requests to the Sentry company used to be sent over HTTP with no encryption

https://blog.sentry.io/sentry-ingestion-domains-updates/

https://cloud.google.com/blog/topics/partners/using-sentry-t...

https://old.reddit.com/r/PleX/comments/1b12phf/plex_sending_...

There has never been any resource record for any sentry.io domain in the DNS that is used by computers I control. This DNS is local and I control it. I saw a request to an ingest.sentry.io domain once while experimenting with Firefox. It failed

The DNS used by me only contains addresses for servers that I find useful

But every user has their own preferences. It is possible that some end-users might see value in allowing their computers to automatically send requests to sentry.io while receiving nothing in return. I am not one of those users

ggm 1 day ago||

Reverse address lookup servers routinely see escaped attempts to resolve ULA and rfc1918. If you can tie the resolver to other valid data, you know inside state.

Public services see one way (no TCP return flow possible) from almost any source IP. If you can tie that from other corroborated data, the same: you see packets from "inside" all the time.

Darknet collection during final /8 run-down captured audio in UDP.

Firewalls? ACLs? Pah. Humbug.

_gmax1 1 day ago|

"Darknet collection during final /8 run-down captured audio in UDP."

Mind elaborating on this? SIP traffic from which year?

ggm 1 day ago|||

2010/2011 time frame. Google and others helped sink the traffic, all written up at apnic labs. It's how 1.1.1.0/24 got held back from general release.

advisedwang 1 day ago||

e.g. https://www.potaroo.net/studies/103-slash8/103-slash8.pdf and https://conference.apnic.net/news-archives/2010/network-1/as...

LtdJorge 1 day ago|||

RTP I’d say

alimoeeny 1 day ago||

I personally have been blocking sentry and all relevant domains on my machines. I understand this is not a generally applicable advice. For me that’s the right choice

mixedbit 1 day ago|

I have investigated similar situation on Heroku. Heroku assigns a random subdomain suffix for each new app, so URLs of apps are hard to guess and look like this: test-app-28a8490db018.herokuapp.com. I have noticed that as soon as a new Heroku app is created, without making any requests to the app that could leak the URL via a DNS lookup, the app is hit by requests from automatic vulnerability scanning tools. Heroku confirmed that this is due the new app URL being published in certificate authority logs, which are actively monitored by vulnerability scanners.

adolph 1 day ago||

> certificate authority logs, which are actively monitored by vulnerability scanners

That sounds like a large kick-me sign taped to every new service. Reading how certificate transparency (CT) works leads me to think that there was a missed opportunity to publish hashes to the logs instead of the actual certificate data. That way a browser performing a certificate check can verify in CT, but a spammer can't monitor CT for new domains.

https://certificate.transparency.dev/howctworks/

wlonkly 1 day ago||

I think it was more of an intentional tradeoff, as one of the many goals of CT logs was to allow domain owners to discover certificates issued for their domains, or more generally for any interested party to audit the activity of a certificate authority.

What you're describing there is certificate... translucency, I guess?

adolph 13 hours ago||

Yes, "translucent database" was exactly the concept I thought of when asking the question. The concept is keep access to specific items easy but accessing the entire thing as a whole more costly.

nightpool 1 day ago||

Really? Is that new? My apps use wildcard domains: https://i.postimg.cc/SQ82S0Dp/image.png

mixedbit 1 day ago||

This applies only to Heroku Fir and Cedar apps (apps that run in Heroku Private Spaces). Heroku Common Runtime apps still use shared wildcard certificate and their domains are not discoverable like this.

More comments...