Creating Your Own Stockfish in the Cloud

Comments on https://lichess.org/@/hollowleaf/blog/creating-your-own-stockfish-in-the-cloud/uzjL07Hf

thanks for sharing this. I will use the link that shares incentive when I get to this.

@dboing said in #2:

Thanks buddy, let me know how it goes, it was a challenge to write so hopefully people will find it useful

@dboing said in #2: > Thanks buddy, let me know how it goes, it was a challenge to write so hopefully people will find it useful

TakW

this is truly amazing.

HollowLeaf

@TakW said in #4:

this is truly amazing.
Did you get it working?

@TakW said in #4: > this is truly amazing. Did you get it working?

OneTyredDownhiller

Thanks for this nice straight forward setup, which gets an stockfish instance running UNSAFE on a UNSAFE configured cloud resource.
But you are missing minimal hardening steps.
You should never use root as your normal connection user& You should not run stockfish as root.
You should create dedicated user for this.

Thanks for this nice straight forward setup, which gets an stockfish instance running UNSAFE on a UNSAFE configured cloud resource. But you are missing minimal hardening steps. You should never use root as your normal connection user& You should not run stockfish as root. You should create dedicated user for this.

chavezo

If you want to install PuTTY in macOS, and you have installed homebrew, in Terminal enter:

brew install putty

If you want to install PuTTY in macOS, and you have installed homebrew, in Terminal enter: brew install putty

HollowLeaf edited

@OneTyredDownhiller said in #6:

Thanks for this nice straight forward setup, which gets an stockfish instance running UNSAFE on a UNSAFE configured cloud resource.
But you are missing minimal hardening steps.
You should never use root as your normal connection user& You should not run stockfish as root.
You should create dedicated user for this.

Thanks for the comment,

I am curious about the Unsafe on Unsafe? We have a cloud server which is accessible via an ssh tunnel. I agree that we should create a new user for this as opposed to using root, but is there a security risk here?

Given that is for personal stockfish use, and that the users will typically switch on and off the droplet when not in use.

@OneTyredDownhiller said in #6: > Thanks for this nice straight forward setup, which gets an stockfish instance running UNSAFE on a UNSAFE configured cloud resource. > But you are missing minimal hardening steps. > You should never use root as your normal connection user& You should not run stockfish as root. > You should create dedicated user for this. Thanks for the comment, I am curious about the Unsafe on Unsafe? We have a cloud server which is accessible via an ssh tunnel. I agree that we should create a new user for this as opposed to using root, but is there a security risk here? Given that is for personal stockfish use, and that the users will typically switch on and off the droplet when not in use.

HollowLeaf

@chavezo said in #7:

If you want to install PuTTY in macOS, and you have installed homebrew, in Terminal enter:

brew install putty
Interesting, did you give the article a try on a MacOS? I am curious how the bog holds up as it was written for Windows.

@chavezo said in #7: > If you want to install PuTTY in macOS, and you have installed homebrew, in Terminal enter: > > brew install putty Interesting, did you give the article a try on a MacOS? I am curious how the bog holds up as it was written for Windows.

OneTyredDownhiller

given that the system is switched of when not in use, is not a bigf issue for an attacker.
Malroy simply can scan the uptime of thousands of potential targets.

Yes I expect there is NOW NO DIRECT exploit, but you increase the attackvector for any furhter exploit or for a commbinations of different exploits.

Anyhow it is strongly requested to apply the best practices for linux operation for 20 years.
Never work directly with root, use sudo instead.
Never run "service" as root, use a dedicated service user, with minimal permissions.

Also chess software is normally not very well security hardended. ...
Even more if you want to run experimental stockfishes. ..
Therefore it is strongly requested to harden and minimize your OS.

given that the system is switched of when not in use, is not a bigf issue for an attacker. Malroy simply can scan the uptime of thousands of potential targets. Yes I expect there is NOW NO DIRECT exploit, but you increase the attackvector for any furhter exploit or for a commbinations of different exploits. Anyhow it is strongly requested to apply the best practices for linux operation for 20 years. Never work directly with root, use sudo instead. Never run "service" as root, use a dedicated service user, with minimal permissions. Also chess software is normally not very well security hardended. ... Even more if you want to run experimental stockfishes. .. Therefore it is strongly requested to harden and minimize your OS.