Comment

Comment on ELI5: How to put several servers on one external IP?

towerful@programming.dev ⁨2⁩ ⁨days⁩ ago

Who is externally reaching these servers?
Joe public? Or just you and people you trust?

If it’s Joe public, I wouldn’t have the entry point on my home network (I might VPS tunnel, or just VPS host it).

If it’s just me and people I trust, I would use VPN for access, as opposed to exposing all these services publicly

source

Sort:hotnew top

Allero@lemmy.today ⁨2⁩ ⁨days⁩ ago
Just me and the people I trust, but there are certain inconveniences around using VPN for access.

First, I live in the jurisdiction that is heavily restrictive, so VPN is commonly in use to bypass censorship

Second, I sometimes access my data from computers I trust but can’t install VPN clients on

Third, I share my NAS resources with my family, and getting my mom to use a VPN every time she syncs her photos is near impossible

So, fully recognizing the risks, I feel like I have to expose a lot of my services.

source
- somewa@suppo.fi ⁨2⁩ ⁨days⁩ ago
  Remember that with services facing public internet it’s not about if you get hacked but when you get hacked. It’s personal photos on someone elses hands then.
  
  source
  - thermal_shock@lemmy.world ⁨2⁩ ⁨days⁩ ago
    Not sure why you’re downvote, you’re absolutely right. People scan for open ports all day long and will eventually find your shit and try to break in. In my work environment, I see thousands of login attempts daily on brand new accounts, just because something discovered they exist and want to check it out.
    
    source
    somewa@suppo.fi ⁨2⁩ ⁨days⁩ ago
    Those who have not been burned yet often don’t expect it to happen to them. Usually it isn’t anything big causing it but some typo in a config or software not updated on time.
    
    source
  - Allero@lemmy.today ⁨2⁩ ⁨days⁩ ago
    I do remember that and take quite a few precautions. Also, nothing that can be serioisly used against me is in there.
    
    source
    hietsu@sopuli.xyz ⁨2⁩ ⁨days⁩ ago
    I have wrestled with the same thing as you and I think nginx reverse proxy and subdomains are reasonably good solution:
    
    nothing answers from www.mydomain.com or mydomain.com or ip:port.
    
    I have subdomains like service.mydomain.com and letsencrypt gives them certs.
    
    some services even use a dir, so only service.mydomain.com/something will get you there but nothing else.
    
    keep the services updated and using good passwords & non-default usernames.
    
    Planned: instant IP ban to anything that touches port 80/443 without using proper subdomain (whitelisting letsencrypt ofc), same with ssh port and other commonly scanner ones. Using fail2ban reading nginx logs for example.
    
    Planned: geofencing some ip ranges, auto-updating from public botnet lists.
    
    Planned: wildcard TLS cert (*.mydomain.com) so that the subdomains are not listed anywhere maybe even Cloudflare tunnel with this.
    
    Only fault I’ve discovered are some public ledgers of TLS certs, where the certs given by letsencrypt spill out those semi-secret subdomains to the world. I seem to get very little to no bots knocking my services though so maybe those are not being scraped that much.
    
    source
    -> View More Comments