Like the title says, I’m new to self hosting world. 😀 while I was researching, I found out that many people dissuaded me to self host email server. Just too complicated and hard to manage. What other services that you think we should just go use the currently available providers in the market and why? 🙂thank you
Clearly opening RDP port on internet. NEVER.
What is wrong with that? Don’t they still need correct credentials to connect?
The service itself is insecure. You need to hide it behind a more secure setup if you want to expose it to the internet. It’s been a long while since I tried, but I have some foggy memories of an RDP Server that would encapsulate the connection in an SSL tunnel and forward the connection to the remote machine rather than exposing the RDP client itself to the internet.
Definitely do your research on how to do it securely before you just set it up and open it to the wild.
VPN FTW
Oh sure, VPN is definitely the preferred way if you already have the infrastructure in place. My experience with the front-end RDP server was years ago as the sysadmin for a company. My experience is likely very out of date, and was very corporate-focused, rather than for an enthusiast.
Nowadays I try not to touch Windows, and haven’t used RDP in years.
These days there are so many bots scanning that you have to be so careful.
What do you mean by “clearly”. Open RDP without password protection?
I often use RDP to access my desktop Windows 10.
The password isn’t enough. It’s not a hardened protocol and vulnerabilities are found in it with some regularity. There have been unauthenticated RCEs before, ie nightmare scenario.
Those vulnerabilites come from humans clicking on files they’re not supposed to click on. NO way of communication is secure against that. Not even the magic of Tailscale. RDP offers 2FA and has an encrypted connection. It’s fine!
Even Microsoft recommends against opening rdp to the web and to use a VPN instead.
You’re playing with fire here.
As far as a few google searches got me: No, they don’t.
Lol, I work at an attack surface scanning company. Every freaking company I talk to, with very few exceptions, has at least one of these. If not a whole infrastructure. Then they cry, “how did we get ransomware?”
I have a load balancer on my network that has opened one port on my home network. The load balancer is connected over the cloud flare and is encrypted on both sides. Is that okay?
Why you chose to open a port, if you use cloudflare? Couldn’t you use cloudflare tunnel in that case?
Don’t try to be clever and change the port from 3389 to something else either
Scanners can fingerprint traffic and just blast the other ports instead
I (foolishly) did this a few years ago and luckily I had account lockout enabled
Constant attempts all day long - they were even able to enumerate local users and try to log in as them (fortunately they never could cause the passwords were random keepass ones)
Don’t do it, seriously
Psa for you guys that rdp over the net, turn that off, and use a VPN like wire guard or tail scale, or use something like apache guacamole.