Got any security advice for setting up a locally hosted website/external service?
-
Setting up a personal site on local hardware has been on my bucket list for along time. I finally bit he bullet and got a basic website running with apache on a Ubuntu based linux distro. I bought a domain name, linked it up to my l ip got SSL via lets encrypt for https and added some header rules until security headers and Mozilla observatory gave it a perfect score.
Am I basically in the clear? What more do I need to do to protect my site and local network? I'm so scared of hackers and shit I do not want to be an easy target.
I would like to make a page about the hardware its running on since I intend to have it be entirely ran off solar power like solar.lowtechmagazine and wanted to share technical specifics. But I heard somewhere that revealing the internal state of your server is a bad idea since it can make exploits easier to find. Am I being stupid for wanting to share details like computer model and software running it?
Keep it segregated from your internal network, no password auth, or better yet, install a privatenet client (Tailscale, Zerotier...etc) and don't open SSH ports at all, consider using a Cloudflare Tunnel or similar...that's a basic start.
Honestly, if you're serving a static site, just deploy it on Digitalocean Apps or R2 for free and skip all the worry and get all the Cloudflare protection built-in.
-
Setting up a personal site on local hardware has been on my bucket list for along time. I finally bit he bullet and got a basic website running with apache on a Ubuntu based linux distro. I bought a domain name, linked it up to my l ip got SSL via lets encrypt for https and added some header rules until security headers and Mozilla observatory gave it a perfect score.
Am I basically in the clear? What more do I need to do to protect my site and local network? I'm so scared of hackers and shit I do not want to be an easy target.
I would like to make a page about the hardware its running on since I intend to have it be entirely ran off solar power like solar.lowtechmagazine and wanted to share technical specifics. But I heard somewhere that revealing the internal state of your server is a bad idea since it can make exploits easier to find. Am I being stupid for wanting to share details like computer model and software running it?
wrote on last edited by [email protected]Fail2ban ufw nftables
port forward only the bare minimum (80 443)
Expose docker ports with 127.0.0.1:8000:8000 then port forward with caddy server on the host
Edit: add nftables
-
Fail2ban ufw nftables
port forward only the bare minimum (80 443)
Expose docker ports with 127.0.0.1:8000:8000 then port forward with caddy server on the host
Edit: add nftables
wrote on last edited by [email protected]This is dangerous advice because docker is well-known for undoing UFW’s iptable rules. It’s mitigated by binding to localhost, but still way too easy for people to shoot themselves in the foot by using the two together.
-
This is dangerous advice because docker is well-known for undoing UFW’s iptable rules. It’s mitigated by binding to localhost, but still way too easy for people to shoot themselves in the foot by using the two together.
Docker is going to undo your port iptable rules with or without ufw
Running
rm -rf ~isn’t that hard to do either just don’t do it.Your router’s NAT should save you if that happens on the wrong port anyway.
-
Docker is going to undo your port iptable rules with or without ufw
Running
rm -rf ~isn’t that hard to do either just don’t do it.Your router’s NAT should save you if that happens on the wrong port anyway.
wrote on last edited by [email protected]You shouldn’t suggest UFW at all then. There are other firewall options that can be used just fine with docker.
It does have real potential to cause issues, e.g. if OP were to put their server in DMZ mode on their router and later copy some docker setup instructions that don’t explicitly bind to localhost.
-
Setting up a personal site on local hardware has been on my bucket list for along time. I finally bit he bullet and got a basic website running with apache on a Ubuntu based linux distro. I bought a domain name, linked it up to my l ip got SSL via lets encrypt for https and added some header rules until security headers and Mozilla observatory gave it a perfect score.
Am I basically in the clear? What more do I need to do to protect my site and local network? I'm so scared of hackers and shit I do not want to be an easy target.
I would like to make a page about the hardware its running on since I intend to have it be entirely ran off solar power like solar.lowtechmagazine and wanted to share technical specifics. But I heard somewhere that revealing the internal state of your server is a bad idea since it can make exploits easier to find. Am I being stupid for wanting to share details like computer model and software running it?
Use a reverse proxy in a DMZ. You can use something like Bunkerweb + Crowdsec to give you a WAF and dynamic IP blocklist in front of your web service.
-
You shouldn’t suggest UFW at all then. There are other firewall options that can be used just fine with docker.
It does have real potential to cause issues, e.g. if OP were to put their server in DMZ mode on their router and later copy some docker setup instructions that don’t explicitly bind to localhost.
Please tell me more, which firewall would you recommend that plays nice with Docker?
No NAT? Hahaha that’s a big if, and why would you copy paste a docker compose without reading it?
-
Please tell me more, which firewall would you recommend that plays nice with Docker?
No NAT? Hahaha that’s a big if, and why would you copy paste a docker compose without reading it?
@[email protected] nftables
-
@[email protected] nftables
Cool! ufw supports nftables too.
-
Cool! ufw supports nftables too.
@[email protected] yes. but I use it without UFW.
-
@[email protected] yes. but I use it without UFW.
::: spoiler joke 18+
Fine I’ll go sit in the cuck chair again while you write out those long hard nftables commands to my server.
::: -
You might want to set up dynamic DNS for your domain. If you're hosting from a residential internet connection then your ISP will change your address eventually. Ddclient can be used to report your current IP to your Registrar regularly, so if it changes the domain moves along with it.
Depends on your ISP and where in the world you live.
-
Keep it segregated from your internal network, no password auth, or better yet, install a privatenet client (Tailscale, Zerotier...etc) and don't open SSH ports at all, consider using a Cloudflare Tunnel or similar...that's a basic start.
Honestly, if you're serving a static site, just deploy it on Digitalocean Apps or R2 for free and skip all the worry and get all the Cloudflare protection built-in.
wrote on last edited by [email protected]Cloudflared is such a nice feature, I have seperate tunnels for different services hosted on the one machine.
-
Setting up a personal site on local hardware has been on my bucket list for along time. I finally bit he bullet and got a basic website running with apache on a Ubuntu based linux distro. I bought a domain name, linked it up to my l ip got SSL via lets encrypt for https and added some header rules until security headers and Mozilla observatory gave it a perfect score.
Am I basically in the clear? What more do I need to do to protect my site and local network? I'm so scared of hackers and shit I do not want to be an easy target.
I would like to make a page about the hardware its running on since I intend to have it be entirely ran off solar power like solar.lowtechmagazine and wanted to share technical specifics. But I heard somewhere that revealing the internal state of your server is a bad idea since it can make exploits easier to find. Am I being stupid for wanting to share details like computer model and software running it?
pangolin?
