Blog Tweaks and Just Doing Nerd Things

Since I have some time to distract myself with something other than fighting for survival. I’ve done a few things with the blog over the past weeks.

To start things off, Google sold their domain services to squarespace earlier this year. Since my domain was going to be transferred to a company that has no humans manning the customer service ship, I decided to move my domain registration to WordPress. They did renew my domain, imported all my records from Google, all within 20 minutes.

From a domain perspective, instead of continuing to use Googles web space offerings for blog hosting, I moved from their Blogger platform to WordPress. But during this move, I decided to re-learn Windows Server. I honestly haven’t touched it in a long time, and I felt it would be. Good project over the summer to setup, secure, and harden the services that I would be moving to it. So I setup Windows Server 2022 Datacenter on an ASUS i3 small platform desktop. From a services perspective, I setup IIS (webserver), and installed all the required back-end services that WordPress would need, since I’m hosting my blog/website myself.

The next step of this process, was to move all the network applications off of my Western Digital PR4100. I got this NAS back in 2017, and it’s been basically a place for all my data, music, and video content. Previously, I was running Plex, which is for all intents and purposes, a media server. I could tell things were pretty sluggish. The NAS only has 4GB of RAM, which isn’t much for application use.

I moved the Plex application to the server, and it’s been much nicer. Loads fast. Performs well. It also enabled me to keep up with automatic updates, when it was housed on the NAS, everything was manual, and just a hassle during every update.

Once I moved all the application data to the new server, it was time to really think long and deep into securing the server. Reason is, it’s going to be sitting on the public internet now. With that, comes the waves of internet scans, login attacks, and people trying to find exploits.

Since I’m hosting myself, I have to rely upon dynamic DNS that updates every 5 minutes. Should my connection change, and the IPv4/v6 addresses change, I needed a way to automatically update DNS without having to manually put all this stuff in. Previously I had a DynDNS Pro account, but really didn’t use it, since Google supported it. But since I moved away from Google for DNS, I needed a solid replacement, so I setup the DynDNS client on the server, so that I could send IPv4/v6 updates so that if you try to reach the blog, you can access it from both IPv4/IPv6. All this happens in the background automatically, just make sure you type in the web address properly :).

Most of these attacks generally come from Russia, China, Germany, and Korea. Since the server doesn’t need to talk to anyone there, I got RDP Guard and installed it on the server. This allows me to control who can talk to the server on the IP level, but just from the basis of the Webserver. This allowed me to geo-block a good portion of bad actors. But it won’t catch other people trying to exploit the server.

The next step was enabling port forwarding in the router, for IPv4 requests, and IPv6 firewall forwarding rules. But at this point the server was doing HTTP. Which is insecure. Yes. It’s a blog, but when I need to talk to my server, manage it remotely, HTTP wasn’t going to cut it. So I started to look into getting an SSL certificate so that the blog would be secure. Since I’m hosting everything myself, there’s a few hostnames that I would have to buy a SSL cert for. Instead of buying individual certs, I decided to just get what’s known as a wildcard cert. Which covers *.digitallychallenged.net. Once the cert was generated, I had to import it into the server. This was a fun learning experience since I’ve never done SSL/HTTPS for my domain previously.

Now I needed to add additional forwarding rules in the firewall. Still need to keep HTTP there, but one of the cool things is, my webserver doesn’t allow insecure connections. I enabled re-write in IIS that if someone tries connecting to the blog website via HTTP, the server will force the user to HTTPS. 100% end to end encryption now. Pretty cool.

Once I got this working properly, I hit up my friend who I helped setup a very large government project. I did all the network security hardening for him, he did the webserver / application stuff. There were several configuration modifications we had to make to pass the scrutiny of the security scanners that the government was using to try and find security flaws. We shut a lot of doors. Took us. Month to harden everything, then the next 6 months to have everything certified. I asked him to give me the IIS server security configurations we put in place and imported them into my webserver. I’m not taking any chances.

At the same time, my router is a pretty advanced model. I enabled the two-way intrusion protection since I’m going to be getting bombarded with garbage from the internet, it sits in the middle looking at packets coming in, and makes sure they aren’t malicious. It will stop it before it gets forwarded to the webserver. To date it’s stopped over 1270 malicious attacks from the outside hitting the router. Even though I have protections now on the inside network, packets will still hit the router.

Right before the heart attack, I updated the router firmware to Merlin. Which is open source, but also gives that router so much more functionality. It keeps all the stock functions of the ASUS software, but allows me to install modules in the router that the stock firmware doesn’t have.

I installed a USB stick in the router to be used as a hard drive. Needed a place to put stuff. Routers done come with a lot of space. That’s when I installed a module called Skynet. Similar to RDP Guard that’s running on the server, but the level of blocking this can do is so impressive. Skynet has a database of bad IP’s, and networks, that are known to be “bad”. Whether it’s port scanning, login attacks, or other various attack vectors, it’s basically a blacklist on steroids.

It took about 20 minutes to setup Skynet, get everything working the way I wanted. Just like in RDP Guard, I just blocked Russia and China right from the get go. Those networks don’t need to talk to me. Ever. At all. Secondly I enabled the dynamic blacklist feature which uses the communal database. Now more stuff won’t get through. The cherry on the top, was my router will now watch for these attacks, signatures you could say. Digital thumbprints. So if someone does get through the blacklists, and still try doing bad stuff, Skynet will step on them, and deny them from talking to me (I set it to a year) should they attempt 10 bad things within 30 minutes. After enabling it, Skynet was stopping things left and right. The logs were going nuts.

I then installed PRTG. Which is a commercial network monitor. But the cool thing is, you can setup 100 sensors and it’s free. Got everything loaded up, and now my home network is fully monitored. Yeah it’s overkill, but it’s been a fun learning project just refreshing my memory, and I even learned new things along the way.

Lastly due to the departure of Google, I needed to relocate my email. One option, would be to move it to my server. But the amount of junk email that just comes in, I would end up needing better software than the built-in mail server. So instead, I moved all of my mail to iCloud. About 2 years ago, iCloud started supporting custom domains. So I decided this would be the best place to move everything. Spam protection, don’t need to setup more security on my end. I’ll just let Apple handle that. After a few setup questions, everything was up and running. I pulled down all my email from Google, made the DNS changes and had to wait for those records to propagate across the internet. Roughly 4 hours later, I put all my email up on iCloud’s servers. Best part. This is all included when you subscribe to iCloud. Like TV, music, cloud storage. You get up to 6 email addresses, whereas Google was charging me $16 a month, with iCloud it’s included. Just made sense to do it.

The only thing left, was to get an S/Mime certificate. So now my emails will be digitally signed. It’s all validated now. Secure. I can even enable email encryption too.

Security is important. People should take the time and effort I did. Trust me, all it takes is 1 security event to ruin your day. Data theft, ransomware, viruses, malicious intent is something that I take very serious. But after all the steps I took, I’ve minimized the impact if it somehow happens. I have several layers of security should if 1 part fails. The security sandwich I’ve setup is extensive, and quite impressive. This was a fun project to do. Gave me something else to do.

From the Blog perspective, I enabled likes, social medial platform sharing, and you can subscribe to my blog and get my posts via email now. Just simple quality of life enhancements just get my updates out there 🙂