What steps do you take to secure your server and your selfhosted services?
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
-
System shared this topic on
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Disable password authentication on SSH
Enable firewall and block all ports you're not using(most firewalls do this by default)
Switch to a LTS kernel(not security related, but it keeps things going smooth... Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)
Use Caddy to proxy to services instead of directly exposing them out
HTTPS for web stuff(Caddy does it automatically)
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
I don't put it on the Internet.
I have automatic updates enabled and once in a while I scan with Nessus. Also I have backups. Stuff dying or me breaking it is a much greater risk than getting hacked.
-
Disable password authentication on SSH
Enable firewall and block all ports you're not using(most firewalls do this by default)
Switch to a LTS kernel(not security related, but it keeps things going smooth... Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)
Use Caddy to proxy to services instead of directly exposing them out
HTTPS for web stuff(Caddy does it automatically)
This and fail2ban
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
My new strategy is to block EVERY port except WireGuard. This doesn't work for things you want to host publicly ofc, like a website, but for most self host stuff I don't see anything better than that.
-
I don't put it on the Internet.
I have automatic updates enabled and once in a while I scan with Nessus. Also I have backups. Stuff dying or me breaking it is a much greater risk than getting hacked.
Is Nessus free for personal use?
-
I don't put it on the Internet.
I have automatic updates enabled and once in a while I scan with Nessus. Also I have backups. Stuff dying or me breaking it is a much greater risk than getting hacked.
I agree - I don’t expose anything to the internet other than the WireGuard endpoint.
I’m only hosting services that my immediate family need to access, so I just set up WireGuard on their devices, and only expose the services on the LAN.
I used to expose services to the internet, until one of my #saltstack clients was exploited through a very recent vulnerability I hadn’t yet patched (only a week or so since it was announced). I was fortunate that the exploit failed due to the server running FreeBSD, so the crontab entry to download the next mailicious payload failed because wget wasn’t available on the server.
That’s when I realised - minimise the attack surface - if you’re not hosting services for anyone in the world to access, don’t expose them to everyone in the world to exploit.
-
Is Nessus free for personal use?
For up to 16 endpoints or something like that, yes.
-
Disable password authentication on SSH
Enable firewall and block all ports you're not using(most firewalls do this by default)
Switch to a LTS kernel(not security related, but it keeps things going smooth... Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)
Use Caddy to proxy to services instead of directly exposing them out
HTTPS for web stuff(Caddy does it automatically)
This, but I prefer nginx.
And no real need for tailscale or cloudflare. If you do not like to depend on a third party service, either port forward and ddns or an external vps+wire guard if you have gcnat
-
I agree - I don’t expose anything to the internet other than the WireGuard endpoint.
I’m only hosting services that my immediate family need to access, so I just set up WireGuard on their devices, and only expose the services on the LAN.
I used to expose services to the internet, until one of my #saltstack clients was exploited through a very recent vulnerability I hadn’t yet patched (only a week or so since it was announced). I was fortunate that the exploit failed due to the server running FreeBSD, so the crontab entry to download the next mailicious payload failed because wget wasn’t available on the server.
That’s when I realised - minimise the attack surface - if you’re not hosting services for anyone in the world to access, don’t expose them to everyone in the world to exploit.
I don’t expose anything to the internet other than the WireGuard endpoint.
This is the way
-
I agree - I don’t expose anything to the internet other than the WireGuard endpoint.
I’m only hosting services that my immediate family need to access, so I just set up WireGuard on their devices, and only expose the services on the LAN.
I used to expose services to the internet, until one of my #saltstack clients was exploited through a very recent vulnerability I hadn’t yet patched (only a week or so since it was announced). I was fortunate that the exploit failed due to the server running FreeBSD, so the crontab entry to download the next mailicious payload failed because wget wasn’t available on the server.
That’s when I realised - minimise the attack surface - if you’re not hosting services for anyone in the world to access, don’t expose them to everyone in the world to exploit.
TBF if you want, you can have a bastion server which is solely whitelisted by IP to stream your content from your local server. It's obviously a pivot point for hackers, but it's the level of effort that 99% of hackers would ignore unless they really wanted to target
you. And if you're that high value of a target, you probably shouldn't be opening any ports on your network, which brings us back to your original solution.I, too, don't expose things to the public because I cannot afford the more safe/obfuscated solutions. But I do think there are reasonable measures that can be taken to expose your content to a wider audience if you wanted.
-
This and fail2ban
Anything else?
-
Anything else?
There are ip lists that let you iptables drop all traffic from China and Russia.
Strongly recommend.
-
There are ip lists that let you iptables drop all traffic from China and Russia.
Strongly recommend.
I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…
Good advice outside of this use case!
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
I expose some stuff through IPv6 only with my Synology NAS (I am CGNATED) and I have always wondered if I still need to use fail2ban in that environment...
My Synology has an auto block feature that from my understanding is essentially fail2ban, what I don't know is if such a feature works for all my exposed services but Synology's.
-
My new strategy is to block EVERY port except WireGuard. This doesn't work for things you want to host publicly ofc, like a website, but for most self host stuff I don't see anything better than that.
I do this too. Took me a little effort to set things up, but now its so easy.
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Default block for incoming traffic is always a good starting point.
I'm personally using crowdsec to good results, but still need to add some more to it as I keep seeing failed attacks that should be blocked much quicker. -
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Just tailscale really.
My services are only exposed to the tailscale network, so I don't have to worry about otger devices on my LAN.
A good VPN with MFA is all you really need if you are the only user.
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
use a cheap vlan switch to make an actual vlan DMZ with the services' router
use non-root containers everywhere. segment services in different containers
-
I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…
Good advice outside of this use case!
Yeah, there were other countries to ban, but those 2 cut my attacks down 90%.
Also consider a honeypot that triggers when anyone tries to ssh it at all.
