← Back to all blog posts

Tailscale is great

Published 13 days ago
Abstract

After reporting over 32 000 IP addresses for trying to hack my box, I decided to finally just shut off port 22, and migrate to Tailscale.

This will be a very short post, but I wanted to write a little love letter to Tailscale. For the uninitiated they essentially provide really easy to use tools to restrict access to resources on and off the internet.

This website is, and has been for a little while, running on Hetzner Cloud on a tiny little VM. It's been working really well except for that one time I got hacked and learned to pay attention to default values. I didn't write a blog article about it (I forgot), but I wrote a guestbook entry.

I got hacked! Turns out, at 11 PM last night, a Chinese botnet gained access to my box on Hetzner by brute forcing the password of my cluster account. It happened because I used an insecure password on the account, not knowing that SSH password authentication was turned on. Hetzner let me know this morning that my box was found to be performing netscans outwards. I managed to stop the scripts running and clean out the malware which consisted of a bitcoin miner, a network scanner and some other bits and bobs. Remember to use strong password, and to only use SSH key access on your boxes.

After that, I took it upon myself to start reporting hack attempts to AbuseIPDB, which is a database of malicious IP addresses essentially. Since starting that about 6 months ago, I have using the fail2ban AbuseIPDB integration reported a whopping 32 441 IP addresses. You can see this number live at the bottom of my website (not that well in dark mode). It just goes to show how much junk is passing through our global infrastructure every day.

But today, I decided to try to "fix" the issue of people trying to access my SSH login and install Tailscale so I can just disable the port all-together. I haven't really ever used it, only other similar solutions to varying degrees of success, but I wanted to have something to tinker with. But, to my great surprise, after a 2 minute wizard with basically two copy paste commands and a GitHub login I was done. I started googling how I could make it support SSH, but it turns out it just does it right out of the box? It's almost too easy.

So I just want to say, kudos to them for creating such an amazing product. It really is incredibly nice to use.