Korthrun

There are cases where forward and reverse DNS need to match, and you may not want to have any association between two domains. SMTP is something that comes to mind. If your HELO/EHLO domain doesn’t match up, there are many servers that just won’t deliver your mail. I host my own email, and I work with very technical people. I don’t want “fun-domain.com” and “domain-on-my-resume.com” resolving to the same IP address. But I can host them on the same server.

There’s still some software out there that does not support SNI.

While your post body focuses on VPS, your question doesn’t, so I’ll also mention self hosting your own VMs. You can do a lot with reverse proxies and funky port based traffic routers, but sometimes just giving the VM it’s own IP is way simpler. Especially if you don’t mind hosting the VM, but aren’t interested in managing the service. I host a VM for a MUD I used to play. I don’t run the MUD, I don’t want to. I want them to be able to do stuff on their website without me having to edit a reverse proxy config, or without having to give them access to the host server.

It can also be used to increase the number of connections you can have to a single interface.

Perhaps you’re hosting your own VPN and you want traffic to come out an entirely different interface than the one your other services are on, for segregation reasons.

A secondary IP can also allow for a bit of service redundancy. Probably not the most relevant thing in self-hosting land, but the ability to move an IP between two different VPSs (assuming they’re on different hypervisors anyway) is pretty handy.

I used to use prgmr, I still do but they call themselves TornadoVPS now. Haven’t had any issues.

For a while now I’ve been using either haproxy or nginx depending on my needs. I’ve hit instances with both where the functionality I want is in the paid version.

Have you looked for providers that offer ETRN? Seems like that might fit your use case well.

I’ve hosted my own email for over a decade with very few issues. It’s low ram and CPU usage so a very cheap VM (or a pair in different locations if you wanna be leet) can be a viable way to avoid the ISP related issues people have trying to host it at home. If you really want it all ending up at home you can do ETRN as mentioned and while TCP/25 is often blocked at home, the submission port (TCP/587) rarely is.

I saw the lack of arm and facepalmed but I was half asleep poo posting so got over it :p (fixed now!)

I’ve been using this device for ~5 years now, so my memory is a little hazy on it, but I’m pretty sure for the particular device I prefer (which is to say, I have nfc what the setup is for other vendors, which could be greatly superior) the AES-256 key used for encryption isn’t generated until you setup your first card.

How would any company, regardless of geography have the secret I generated? This is a stand alone hardware device. They seller is not involved at all once I’ve received my package.

Could a sophisticated/well resourced actor clone the smart card they stole or you lost? Sure, brute force attacks are brute force attacks. At least you’d know your device and card are stolen. Now you’re in a race to reset your passwords before they finish making 500 clones of the smart card they stole.

Hypothetically I could blackmail someone at LastPass and have a backdoor is installed for me.

Someone could bust down my door while I have it connected and unlocked and just login to all my things. ¯\_(ツ)_/¯

That will vary from vendor to vendor. In the case of the one I like there are a few relevant things.

The password db is stored encrypted on the device. Accessing the passwords requires all of:

• the device
• a smartcard with a particular secret on it
• the 4 digit hex pin to unlock the secret on said smartcard, which is what is used to decrypt the db

Three PIN failures and the smart card is invalidated.

That sort of covers “stolen” and “lost + recovered by a baddie”. Your bad actor would need to have their hands on both physical pieces and guessed the 4 digit hex code in 3 tries.

As far as a user recovering from a lost or failed device or smart card goes, you can export the encrypted version of the db for backups, which I do to a thumb drive I keep in my document safe. I do the same with a backup smart card. So that and a backup device or purchasing a new one if yours fails or is lost/stolen.

In the super “just in case” move, I also keep a keepassdb on said thumb drive. In case my device fails and it’s just not possible to get a new one. Kind of like keeping two cloud providers in case LastPass goes bankrupt or something.

I’m a pretty big fan of the mooltipass. They’re sold out and between iterations right now, but a new one is expected soon. One of my coworkers is pretty into their OnlyKey.

So many folks talking about which software they use, and how they sync it between devices etc.

You all know there are hardware password keepers right? They present to your devices as a usb and/or bluetooth keyboard and just type out the user/password that you select. They have browser plugins to ease the experience. Now your password is not even stored on the device you’re using to perform your login and it will work on any modern device even without internet access.

Oh and no subscription fee to cover the costs of cloud infrastructure.