Comment

Comment on What steps do you take to secure your server and your selfhosted services?

Chewy7324@discuss.tchncs.de ⁨3⁩ ⁨weeks⁩ ago

Some I haven’t yet found in this thread:

rootless podman
container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
systemd services with many of its sandboxing features (PrivateTmp, …)

source

Sort:hotnew top

ocean@lemmy.selfhostcat.com ⁨3⁩ ⁨weeks⁩ ago
Does adding 127.0.0.1 make it so only that server can access it or what? I’ve seen that but not understand

source
- Chewy7324@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago
  127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn’t allow any connection except from the host. If it’s set to 0.0.0.0 it means it’ll allow connections from any IP (which might not be an issue depending on your setup).
  
  The reverse proxy runs on localhost anyway, so any other IPs have no reason to ever have access.
  
  source
  - ocean@lemmy.selfhostcat.com ⁨2⁩ ⁨weeks⁩ ago
    
    Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn’t allow any connection except from the host. If it’s set to 0.0.0.0 it means it’ll allow connections from any IP (which might not be an issue depending on your setup).
    
    Thanks for explaining this!
    
    source
ikidd@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
I assume #2 is just to keep containers/stacks able to talk to each other without piercing the firewall for ports that aren’t to be exposed to the outside? It wouldn’t prevent anything if one of the containers on that host were compromised, afaik.

source
- MangoPenguin@lemmy.blahaj.zone ⁨3⁩ ⁨weeks⁩ ago
  Containers can talk to each other without any ports exposed at all, they just need to be added to the same docker network.
  
  source
  - ikidd@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    I was getting more at stacks on a host talking, ie: you have a postgres stack with PG and Pgadmin, but want to use it with other stacks or k8s swarm, without exposing the pg port outside the machine.
    
    source
    MangoPenguin@lemmy.blahaj.zone ⁨3⁩ ⁨weeks⁩ ago
    You can do that by joining the containers to the same docker network, you don’t need to expose ports even to localhost.
    
    source
    -> View More Comments
- Chewy7324@discuss.tchncs.de ⁨3⁩ ⁨weeks⁩ ago
  It’s mostly to allow the reverse proxy on localhost to connect to the container/service, while blocking all other hosts/IPs.
  
  This is especially important when using docker as it messes with iptables and can circumvent firewall like e.g. ufw.
  
  You’re right that it doesn’t increase security on case of a compromised container. It’s just about outside connections.
  
  source
  - ikidd@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    OK, yah, that’s what I was getting at.
    
    source