Securing a 'public' service for family

Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ by ⁨IanTwenty@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

I would like to host a public service for some family, probably Peertube so we can share some videos. Invite only.

There’s no way I’m going to get everyone onto a VPN, it’s a non-starter though I would prefer it.

I am thinking to use a VPS with anubis and either crowdsec or fail2ban (or both?!) in front of Peertube. Will apply as much hardening as I can muster behind that: things in containers, systemd hardening, SELinux/Apparmor enabled/tuned, separate users for services, the usual. All ports shut except 80/443, firewall up.

Despite all this I expect it will get scanned and attacked as it will have to expose ports 80/443 to the world so for family it will just work.

Is there anything else I should consider for security? Is Peertube the weakest link in the chain? (a little concerned their min password length is 6 it seems and no 2fa). So long as I keep whole thing up-to-date is it as secure as anybody can manage these days (without resorting to VPN)?

Is it all too much hassle and I should look for a company that offers hosted Peertube so they can worry about it?

Thanks for any and all advice.

source

Comments

Sort:hotnew top

CausticFlames@sopuli.xyz ⁨2⁩ ⁨days⁩ ago
I’d say you’re good. I trust NPM’s SSL forwarding so I’d say spin up Peertube and put NPM in front of it to manage your certs and such, and as long as both are up to date it’ll be fine.

Realistically though, you could still use a VPN and have it be pretty easy for your family members IF you have access to their router console and IF said router supports network wide wireguard or openVPN connections. Having both networks tied in to eachother that way makes it so that nobody ever has to use a VPN client to connect, but still only devices from their network (or yours) will be able to connect.

source
- JASN_DE@feddit.org ⁨2⁩ ⁨days⁩ ago
  
  Realistically though, you could still use a VPN and have it be pretty easy for your family members IF you have access to their router console and IF said router supports network wide wireguard or openVPN connections. Having both networks tied in to eachother that way makes it so that nobody ever has to use a VPN client to connect, but still only devices from their network (or yours) will be able to connect.
  
  Realistically this plan dies the moment someone takes their phone outside of the WiFi range. It’s fine in theory, but fails miserably in non-techie real life.
  
  source
  - marduk@lemmy.sdf.org ⁨2⁩ ⁨days⁩ ago
    “Where’s the router you configured for me? Oh the Cox guy said I should just use their router for $9.99/mo so I donated it to Goodwill”
    
    source
- IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
  I had to look up NPM as in my head it’s NodeJS Package Manager but TIL there’s also Nginx Proxy Manager!
  
  I like your VPN solution for a small group and actually tying it to their home network/router could make sense and further restrict attacks I have to deal with. However in my case I could be dealing with 30+ households of users and as others say I am bound to get people on mobiles complaining they can’t access it. However noted for future projects.
  
  source
gravitywell@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
It sounds like you’ve got the right plan. I use Anubis and fail2ban along with some manual rules on nginx to block AI bots. In my experience Anubis helps a lot, and you can monitor nginx logs over time to for scans and such to make additional ban rules on.

source
- IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
  Good to hear Anubis is effective - I would hope that takes the site out of the ‘easy target’ sort of category and most bots give up. Yeah I think monitoring is gonna be key to keep an eye on threats. Thanks!
  
  source
dogs0n@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
I think you will be fine as described.

If you want extra peace of mind with 2FA, you can use Authelia (www.authelia.com/integration/…/peertube/) or a similar service that you can put infront of peertube to handle auth.

source
- MysteriousSophon21@lemmy.world ⁨2⁩ ⁨days⁩ ago
  Authelia is great, but I’ve been using Authentik for a similar setup and it’s been rock solid with more user-friendly UI if your famly members aren’t tech savvy, pluss it has some nice passwordless options.
  
  source
- IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
  That’s a great suggestion, then I’m not relying just on the app/service to have super secure auth.
  
  source
- gkaklas@lemmy.zip ⁨2⁩ ⁨days⁩ ago
  You can also check kanidm.com and goauthentik.io as well!
  
  source
  - gkaklas@lemmy.zip ⁨2⁩ ⁨days⁩ ago
    Oh also a friend of mine is developing this, that uses passwordless magic links or passkeys github.com/dzervas/magicentry I haven’t looked much into it though!
    
    source
    -> View More Comments
rtxn@lemmy.world ⁨2⁩ ⁨days⁩ ago
Consider Tailscale. It’s a mesh VPN based on Wireguard that uses a hosted service to manage keys and devices. It works without having to expose any ports on the firewall, and can expose a service through a relay server.

Some people will say that you shouldn’t trust it because company bad, but you should give it a try and make up your own mind. If you’re feeling adventurous, you can install Headscale on a VPS to serve as a control server.

source
- dogs0n@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
  Bro said ‘no vpn’ a hundred times lol
  
  source
  - rtxn@lemmy.world ⁨2⁩ ⁨days⁩ ago
    Bro is also concerned about attacks on exposed well-known ports, in which case bro can use Tailscale Funnel to expose a service without exposing a port. Besides, bro can make up bro’s own mind.
    
    source
    -> View More Comments
SidewaysHighways@lemmy.world ⁨2⁩ ⁨days⁩ ago
i hate to sound like a shill for one thing but pangolin tunneled reverse proxy is pretty cool way to expose stuff

source
- IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
  Thanks for this suggestion - this is interesting because it looks like pangolin combines almost all the measures mentioned so far here apart from Anubis: auth provider with one-time email passcodes, geoip blocking, crowdsec plus bonus automated cert handling. It does look like it does nearly everything in one package and I can pay for them to host it for me if I don’t want to selfhost those parts. Strong contender!
  
  source
Cyber@feddit.uk ⁨2⁩ ⁨days⁩ ago
GeoIP blocking

You mention a firewall, but for any open ports still restrict the source IPs to limited ranges not “all”.

Personally, at my home’s edge firewall I have pfSense with pfBlocker and that uses a GeoIP database, so I can just pick the countries I want to allow in… you want to block as early as possible (ie at the VPS?), so you might have to look at options

If your family are in the same region, then it should be relatively easy to limit to a few ranges on the VPS

Here’s a quick search result: lite.ip2location.com/ip-address-ranges-by-country

source
- glizzyguzzler@piefed.blahaj.zone ⁨2⁩ ⁨days⁩ ago
  Just came back to say the same thing, I use this for geo ip blocking and it’s so well featured it’s insane. Any VPS, just make sure to clear local IPs (incl. docker range if using docker - though it’s been improving so much it may handle that automatically now)
  
  https://github.com/friendly-bits/geoip-shell
  
  source
  - IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
    Super useful thanks!
    
    source
- IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
  Really good point. I can definitely restrict to one country and anyone using their own VPNs/TOR/whatever will be sophisticated enough to understand why its restricted and how to keep their access.
  
  source
ryannathans@aussie.zone ⁨2⁩ ⁨days⁩ ago
Why can’t use VPN? I got my family to, wireguard app with a configuration file you send them for import is pretty straightforward and needs no configuration on the user side

source
- IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
  I’ve got probably 30+ households of people and multiply that by number of devices…this is also something that will only be live for 12 months maybe. I think if I was doing something long-lived it might be worth the effort to get everyone onto VPN but for this…just can’t justify the time. Thanks anyway.
  
  source
- Pixel@lemmy.ca ⁨2⁩ ⁨days⁩ ago
  I have a few qualms with this app:
  
  For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.
  
  It doesn’t actually replace a USB drive. Most people I know e-mail files to themselves or host them somewhere online to be able to perform presentations, but they still carry a USB drive in case there are connectivity problems. This does not solve the connectivity issue.
  
  It does not seem very “viral” or income-generating. I know this is premature at this point, but without charging users for the service, is it reasonable to expect to make money off of this?
  
  source
  - ryannathans@aussie.zone ⁨2⁩ ⁨days⁩ ago
    Wtaf are you talking about?
    
    source
    -> View More Comments
  - IanTwenty@lemmy.world ⁨1⁩ ⁨day⁩ ago
    Was this comment meant for a different conversation? We’re talking about VPNs here.
    
    source
glizzyguzzler@piefed.blahaj.zone ⁨2⁩ ⁨days⁩ ago
Assuming you’re accessing the service (Peertube in this case) from a web browser and not an app - a thing I decided on “good enough” plus “easy enough” is Authentik sitting in front of the service.

Thought process is: Peertube or some other service’s first job is the purpose for the service, so security likely won’t be as good as a service who’s first job is security.

Authentik can also do stuff like OIDC if the service likes it - and you can chain them together. I’ve got services that hit Authentik 1st and then after you’re allowed to talk to service then you can log in with Authentik OIDC. Some services seem to do it seamlessly, some make you click a “log in with Authentik” again - either way painless enough. Everyone I know is haunted by the MS “remember this login y/n” page that pops up every time you log into some stupid MS thing and it never matters if you choose y or n, it’ll be back. So even 2 steps are chill in comparison for them.

Harden Authentik, and then you can apply it to any other service you want in the future too (maybe stirling PDF, don’t even need users for that). (Feel free to harden Peertube though too - just less important and likely not needed!)

source
- IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
  
  Thought process is: Peertube or some other service’s first job is the purpose for the service, so security likely won’t be as good as a service who’s first job is security.
  
  Really good point. I see many selfhost instructions now that say ‘we don’t bother with HTTPS, just use a proxy to handle that’ and maybe auth should go the same way as in there’s good solutions that specialise in auth so it’s not worth each project doing it themselves.
  
  apps can’t deal with hitting Authentik 1st afaik
  
  Another good consideration. There is an early Peertube app but I doubt my users will be using it, web access is fine for this. Perhaps apps for things like Lemmy/Mastodon/Peertube etc will need to work better with these auth frontends in future.
  
  source
jjlinux@lemmy.zip ⁨1⁩ ⁨day⁩ ago
If you’re going to self-hosted instead of using a VPS (I know you said you’re looking at a VPS solution, this is just in case) make sure you can segregate your networks. A router that allows you to create virtual LANs, same with the access points and switches if needed.

You don’t want to expose all your devices to the internet for a few services.

source
cantankerous_cashew@lemmy.world ⁨1⁩ ⁨day⁩ ago
unethical life pro tip, but you can use the free tier of Cloudflare tunnels + Access to accomplish this. While technically against the ToS, I have been doing this with jellyfin for an over a year now, I don’t cache anything, and my overall bandwidth usage is low it’s probably not very noticeable. If I get banned at some point I’ll just create a new free account ¯\_(ツ)_/¯

source
- KairuByte@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
  How is it against the ToS? I’ve never bothered to look that deeply into their rules, but this is exactly what I do now >.>
  
  source
frongt@lemmy.zip ⁨2⁩ ⁨days⁩ ago
WAF and DMZ too.

source
- IanTwenty@lemmy.world ⁨2⁩ ⁨days⁩ ago
  👍 looks like its fairly easy to add something like ModSecurity WAF to nginx
  
  source