How do you all handle security and monitoring for your publicly accessible services?
-
will do, thanks
-
Caddy only allows private IP ranges
Do you mind telling me more about this? How does that work; a VPN?
-
-
check
-
check
-
check
-
I saw someone else recommend crowdsec. I'll look into it, thanks
if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of “if it’s compromised, they’re not in your house”.
I've heard this mentioned before but I don't really understand how this works in practice. If the VPS was compromised, couldn't they use the VPN to then connect to my home?
-
-
I've seen a bunch of people recommend Authelia. Do you mind if I ask why you went with it over other software? I only went with authentik because I found a tutorial on it first
-
With Wireguard there's really no reason.
Well, that's kinda of a personal choice. If somebody needs to have services accessible by someone else besides him, that service can't be behind a VPN (let's face the truth: we know that we can't ask all out relatives and friends to use a VPN).
-
Sure, so I use Caddy as a reverse proxy for all my subdomains, the public ones direct straight to whatever service(s) are on IP:port etc, then the private ones only allow private IP ranges of which one is my VPN subnet, therefore only allowing LAN and VPN access. I then also have a section for each of the private subdomains with Authelia authentication which is omitted here:
(allowed) { @allowed client_ip 192.168.1.0/24 192.168.10.0/24 192.168.20.0/28 } sub.domain.com { import allowed handle @allowed { reverse_proxy 192.168.80.8:8080 } handle { abort } } -
By the time you get the alert and act on it, it’s too late.
Don’t expose these things to the open internet; VPN back into your network and access them.
-
HA had 2 security audits. I would not worry too much. Always depends on what you can control with it. https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/
-
Wazuh
Active responses are like fail2ban but better
-
If you are just using a self signed server certificate anyone can connect to your services. Many browsers/applications will fail to connect or give a warning but it can be easily bypassed.
Unless you are talking about mutual TLS authentication (aka mTLS or two way ssl). With mutual TLS in addition to the server key+cert you also have a client key+cert for your client. And you setup your web server/reverse proxy to only allow connections from clients that can prove they have that client key.
So in the context of this thread mTLS is a great way to protect your externally exposed services. Mutual TLS should be just as strong of a protection as a VPN, and in fact many VPNs use mutual TLS to authenticate clients (i.e. if you have an OpenVPN file with certs in it instead of a pre-shared key). So they are doing the exact same thing. Why not skip all of the extra VPN steps and setup mTLS directly to your services.
mTLS prevents any web requests from getting through before the client has authenticated, but it can be a little complicated to setup. In reality basic auth at the reverse proxy and a sufficiently strong password is just as good, and is much easier to setup/use.
Here are a couple of relevant links for nginx. Traefik and many other reverse proxies can do the same.
-
I've tried different approaches with fail2ban, crowdsec, VPNs, etc. What I settled on is to divide the data of my services in two categories: confidential and "I can live with it leaking".
The ones that host confidential data is behind a VPN and has some basic monitoring on them.
The ones that are out in the public are behind a WAF from cloudflare with pretty restrictive rules.
Yes, cloudflare suck etc., but the value of stopping potential attacks before they reach your services is hard to match.
Just keep in mind: you need layers of different security measures to protect your services (such as backups, control of network traffic, monitoring and detection, and so on).
-
I'll look into it, thank you
-
has some basic monitoring on them.
What monitoring software are you using?
I feel like the other measures you talked about (backups, condom of network traffic, etc) I'm doing ok on. Its really just the monitoring where I'm stuck. There's so many options
-
There’s also something to be said about some services being cordoned off in a VPN while leaving some public with security. I don’t necessarily want everyone within my full network if all I want is to share one service with them.
-
For that, you can restrict access to a single service with iptables.
-
Just out of curiosity, why do you disconnect from your home VPN?
-
There should be an option in your phone VPN setup to reconnect if app X is being used.
-
Yah, it's just a hobby for you, but it's also a hobby for script kiddies to use Shodan to find people with out of date web interfaces and pop them. I tell you right now, the Immich team would be the first to say not to put their application publicly accessible.
Just don't get into this practice, it ends in tears and is way more maintenance to stay protected than just setting up tailscale and using that.
-
If somebody needs to have services accessible by someone else besides him, that service can’t be behind a VPN
Again, this is the reason VPS' exist. If that person needs access, then setup Wireguard...
It's like saying you don't need a front gate with an access code because then you would have to give out your own access code. But I mean, the lock has the ability to setup more access codes. And you're saying the only viable option is the leave the gate open and hire a guard to manage access. It's just... Weird and wrong.
-
Why not swap from nginx-proxy-manager to Caddy2, which can handle everything? SSL and reverse_proxy?
