Comment

Comment on Good guides for the security you need to set up for self hosting?

Sethayy@sh.itjust.works ⁨3⁩ ⁨months⁩ ago

I skimmed over your entire comment minus the part about docker, so if you answered this somewhere and I’m a dumbass I already accept fault,

that being said docker has taught me more about Linux than anything else, cause its like a micro Linux you can reliably bring up and take down on demand, without requiring risking breaking your GUI or something scary

source

Sort:hotnew top

TCB13@lemmy.world ⁨3⁩ ⁨months⁩ ago
Oh well, If you think you’re good with Docker go ahead use it, it does work but has its own dark side…

cause its like a micro Linux you can reliably bring up and take down on demand

If that’s what you’re looking for maybe a look Incus/LXD/LXC or systemd-nspawn will be interesting for you.

I hope the rest can help you have a more secure setup. :)

Another thing that you can consider is: instead of exposing your services directly to the internet use a VPS a tunnel / reverse proxy for your local services. This way only the VPS IP will be exposed to the public (and will be a static and stable IP) and nobody can access the services directly.

client —> VPS —> local server

The TL;DR is installing a Wireguard “server” on the VPS and then have your local server connect to it. Then set something like nginx on the VPS to accept traffic on port 80/443 and forward to whatever you’ve running on the home server through the tunnel.

source
- BearOfaTime@lemm.ee ⁨3⁩ ⁨months⁩ ago
  I think there’s a lot of risk exposing your home IP with services behind it. Last time I did it, within minutes the router got slammed with requests trying to break into services. It actually impacted router performance.
  
  source
  - TCB13@lemmy.world ⁨3⁩ ⁨months⁩ ago
    That’s actually a DDoS, for instance that doesn’t ever happen on my ISP as they have some kind of DDoS protection running akin to what you would see on a decent cloud provider. Not sure of what tech they’re using, but there’s for certainly some kind of rate limiting there.
    
    Isolate the server from your main network as much as possible. If possible have then on a different public IP either using a VLAN or better yet with an entire physical network just for that - avoids VLAN hopping attacks and DDoS attacks to the server that will also take your internet down;
    
    In my case I can simply have a bridged setup where my Internet router get’s one public IP and the exposed services get another / different public IP. If there’s ever a DDoS, the server might be hammered with request and go down but unless they exhaust my full bandwidth my home network won’t be affected.
    
    As we can see this thing about exposing IPs depends on very specific implementation detail of your ISP or your setup so… it may or may not be dangerous.
    
    source