If Nothing is Exposed, Am I Safe?

Submitted ⁨⁨22⁩ ⁨hours⁩ ago⁩ by ⁨No_Bark@lemmy.dbzer0.com⁩ to ⁨selfhosted@lemmy.world⁩

Hello most excellent Selfhosted community,

I’m very new to this and am confused about how vulnerable my server and/or home network is with my current setup.

I just got a basic server up and running on a machine with proxmox and a DAS for 10tb of storage. I’ve got two LXCs running for a docker deployed arr stack and jellyfin+jellyseer stack. The proxmox server is connected to a router attached to a fiber ONT. Everything is accessed over the home LAN network and that’s it.

Everything is working correctly and my containers are all talking to each other correctly via ip addresses (gluten network on the arr stack container). I’ve been reading up on reverse proxies and tailscale to connect to the server from outside my LAN network, and it’s mostly gone over my head, but it did make me concerned about my network security.

Is my current set up secure, assuming strong passwords were used for everything? I think it is for my current uses - but I could use a sanity check, I’m tired. I’m open to any suggestions or advice.

I own a domain that I don’t use for anything, so it would be cool to get reverse proxy working, but my attempts so far have failed and I learned I’m behind a double NAT (ONT and router) - and attempts to bypass that by setting the ONT into bridge mode have also failed. I don’t really need to access anything from outside my home network right now - but I would like to in the future.

source

Comments

Sort:hotnew top

tvcvt@lemmy.ml ⁨22⁩ ⁨hours⁩ ago
You ever see those Wired videos where they talk about a concept on five different levels ranging from beginner to expert?

The first level answer is likely that, yes, you’re reasonably secure in your current setup. That’s true, but it’s also really simplified and it skips a lot of important considerations. (For example, “secure against what?”) One of the first big realizations that hit me after I’d been running servers for a little while and trying to chase security is the idea of a threat model. What protects me from a script kiddie trying to break into one of my web servers won’t do much for me against a phishing attack.

The more you do this, though, the more I think you’ll realize that security is more of a process than an actual state you can attain.

I think it sounds like you’re doing a good job moving cautiously and picking up things at each step. If the next step is remote access, you’ve got a pretty good situation for a mesh VPN like Tailscale or Netbird or ZeroTier. They’ll help you deal with the CGNAT and each one gives you a decent growth path where you can start out with a free tier and if you need it in the future, either buy into the product or self host it.

source
- hoshikarakitaridia@lemmy.world ⁨21⁩ ⁨hours⁩ ago
  This is probably the best answer. If everything is truly only running on local network and nothing is exposed with a port through your router, you are very safe.
  
  Most issues get introduced when running a server exposed to the Internet.
  
  That said, on the lowest level, if they want to get you, they will. It’s all a risk analysis. And the more interesting you are to adversarial parties, the higher the chances you’ll get pursued.
  
  If you’re Edward Snowden, 99% your calls and conversations are always on record.
  
  If you’re John Doe, truly only your ISP cares when they get a law enforcement request because you really pushed the envelope.
  
  Trending movies are notoriously bad, because movie studios will really try to rake in the revenue.
  
  On the other hand, ripping music from YouTube, no one cares or is able to track it, so risk is very low.
  
  source
r0ertel@lemmy.world ⁨8⁩ ⁨hours⁩ ago
I was hacked years ago. I was hosting a test instance of a phpbb for a local club. Work blocked SSH, so I opened up telnet. They either got in from telnet or a php flaw and installed password sniffers and replaced some tools (ps, top) with tools that would hide the sniffer service they installed.

After that, I changed my model. My time lab is for learning and having fun. I’m going to make mistakes and leave something exposed or vulnerable and hackers are going to get in. Under this new model, I need to be able to restore the system easily after a breach. I have a local backup and a remote backup and I have build scripts (ansible) so that I can restore the system if I need to. I’ve had to do this twice. Once from my own mistake and one from hardware failure.

source
catloaf@lemm.ee ⁨21⁩ ⁨hours⁩ ago
The only device that’s truly secure is one that’s turned off, disconnected from the network, encased in concrete, at the bottom of the ocean. Everything else is a tradeoff between convenience and security.

source
- i_stole_ur_taco@lemmy.ca ⁨20⁩ ⁨hours⁩ ago
  And that ocean is preferably on a planet other than Earth.
  
  source
  - WhatAmLemmy@lemmy.world ⁨17⁩ ⁨hours⁩ ago
    The only device or information system that is truly secure is the one that doesn’t exist at all
    
    source
    -> View More Comments
4am@lemm.ee ⁨16⁩ ⁨hours⁩ ago
I had a double NAT setup like that. Run a firewall like OPNSense as a Proxmox VM, and give it a WAN interface on the ISP router’s IP range; then run everything else on a different subnet, using OPNSense as the gateway. On the ISP router, put OPNSense’s WAN IP in the DMZ. Then, do all your hardening using OPNSense’s firewall rules. Bonus points for setting up a VLAN on a physical switch to isolate the connection.

The ISP router will send everything to OPNSense’s WAN IP, and it will basically bypass the whole double NAT situation.

source
Vinny_93@lemmy.world ⁨22⁩ ⁨hours⁩ ago
You can run nginx in a docker container and define reverse proxies there. That will only require your to open up 443 in your router if you use SSL (which I highly recommend and is simple with Let’s Encrypt)

Then I’d recommend connecting to your arrs and torrent client in Nzb360 paid edition to manage everything in there.

As far as safety, well nothing is bulletproof. If they want to get in, they will. Best thing I can recommend is to run your arrs / indexers through a different IP address than your torrent client. But if they want to find you, they’ll find you. Thing is they probably won’t come after you if your ISP doesn’t report you uploading terabytes a day. SSL helps and keeping your arrs behind complex passwords (use a password manager) will keep the server itself relatively safe.

Unless of course, ISPs in your country suddenly start to crack down on illegal downloading hard.

source
- kat@orbi.camp ⁨22⁩ ⁨hours⁩ ago
  Why open a port when you can do tailscale/vpn or tunnel.
  
  source
  - ChapulinColorado@lemmy.world ⁨16⁩ ⁨hours⁩ ago
    Not to mention that some providers offer APIs to provide certificates without opening port(s) 80/443. This allows using nice domain names with valid SSL over the internal network too. Want to migrate a server or service? Just change the IP associated with the domain on the internal DNS. Makes migrating and upgrading a lot easier.
    
    source
nutbutter@discuss.tchncs.de ⁨18⁩ ⁨hours⁩ ago
This guide can you help you expose your services in a relatively safe way.

source
IsoKiero@sopuli.xyz ⁨22⁩ ⁨hours⁩ ago

Is my current set up secure, assuming strong passwords were used for everything?

Network security is a complicated beast to manage. If general public can access your services over the internet, that’s a threat you need to mitigate. Strong passwords is a good start on that, but it doesn’t take into account if there’s a flaw or bug on the service you’re running. Also if you have external users, they might reuse their passwords and leak for those might cause a threat too, specially if there’s privilege escalation bugs on the software you’re running.

And so on, it’s a too wide field to cover in a short comment here, but when you’re building your stuff, and what is maybe the most disticntive feature on a good professional between a not so good one, is to think ahead and prepare for every imaginable scenario where something goes wrong. Every time you add a way to access your network, no matter how minuscle, think what happens if that way gets compromised and what it might mean on the very worst case.

Maybe you want to add another access point to your network since your terrace isn’t properly covered. That’s nice to have, but now everyone around 100 meters around your house/apartment might have access to your stuff if they can break your wifi security. Maybe you set up a reverse proxy or tailscale on the stack. Now the whole internet can at least probe your stuff and try to find vulnerabilities, try to use stolen credentials and even try to social engineer their way into your stuff. Or maybe you made an mistake and left something open that shouldn’t be.

I’m not trying to scare you off out of anything. Go ahead and play with your stuff, break things, learn how to fix them, have fun while doing it. Just remember to think ahead about worst case scenarios, weigh their risks, think ahead and then go on. Learn about DNAT, reverse proxies, VPN and network layers and whatever you come across on your adventure but keep in mind that shit will hit the fan at some point. And learn to accept that, learn from your mistakes and do better next time.

source
Onomatopoeia@lemmy.cafe ⁨20⁩ ⁨hours⁩ ago

The proxmox server is connected to a router attached to a fiber ONT.

If you want to be extra secure, there’s no reason the server needs internet connectivity/exposure at all (it should be safe). Put it on its own VLAN with only specified ports open to your home LAN. That would be one extra layer from the internet - if admin/remote ports can’t be accessed via the internet connection LAN, then no way for an outsider to get into it (you’d have to provide other ways of accessing the server to admin it, either KVM, or a machine on that VLAN, etc).

You DO NOT need to do this, just adding an idea about how to make stuff more secure.

source
StrawberryPigtails@lemmy.sdf.org ⁨21⁩ ⁨hours⁩ ago
Depends on your threat model, but you’re probably fairly secure from remote unauthorized access right now.

Given that I’m American, I would put the *arr stack behind a dedicated VPN container like gluetun and set Gluetun up using a “no logs” VPN.

For remote access, Tailscale can probably get around that double NAT. If you have it on your devices as well as your server, you won’t necessarily need to expose anything publicly.

If that’s not an option, you could set up an external VPS to run a reverse proxy (Caddy perhaps) and use the Tailscale connection to connect the VPS to your home server. There are fully self hosted ways to do this (Headscale comes to mind), but Tailscale is how I personally would solve this.

source