How do you all handle security and monitoring for your publicly accessible services?
-
Sorta, you have to install your certificate authority into the browser and it might complain about verifying that but it will still connect with the encryption.
-
No no, what I meant is that if I connect to your server without the certificate installed don't I just get the warning and I can still get through?
-
Not unless an http port is open too. If the only port is https, you have to have the certificate. Like with my AI stuff it acts like the host is down if I try to connect with http. You have to have the certificate to decrypt anything at all from the host.
-
Oh, I really didn't know that. Thanks
-
I would put this stuff behind VPN.
-
Auth portal for VPN tunnell -> Authelia -> fail2ban -> VLAN with services only.
Keep that VLAN segmented. You're good unless you're a DOGE employee, then I'd recommend quite a bit more security.
-
Some of these you're already doing, but writing a complete* list.
*almost garuanteed not to be complete, suggestions welcome- Have everything behind the same reverse proxy, so that you have only one endpoint to worry about. Run it through ssllabs or similar to check your config.
- On your reverse proxy, add one or more layers of authentication if possible. Many possibilities here: If one app supports client certificates, while another has limited capabilities, you could probably tie together something where IPs are whitelisted to the ither services based on that certificate auth.
- Geoblock all countries you won't be accessing from
- crowdsec is pretty nice, this detects/blocks threats. kinda like fail2ban but on steroids.
- if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of "if it's compromised, they're not in your house".
lastly consider if these things need to be publically avilable at all. I'm happy with 95% of my services only being available through Tailscale (mesh VPN, paid service with good enough free tier, open source+free alternatives available), and I've got tailscale on all my devices
-
So among my services I self host, a few need to be publicly accessible for work. For those I wish to remain private, I use Caddy allowing only private IP ranges, plus then Authelia as auth which is set to 30 days. There is then the login of each service being Authelia as well. It's as good as it needs to be for my needs.
If I were only self hosting private services, then as others have said, I would put all access through a VPN.
-
By not making them publicly accessible. With Wireguard there's really no reason.
Setup service to be active on a subnet, enable Wireguard to VPN into the subnet and use the services.
-
Yes this is the main reason for me. If you're alone then you don't care that things occasionally don't work. Once you have at least one more person or potentially the extended family it's a whole different story. And then in my opinion a potentially not 100% secured publicly accessible immich instance at home is magnitudes better than having the family just use google photos.
Because like you say, every little hick up from your site is met with "why can't we just use $bigtech instead, it always works".
-
Check out crowdsec. Like fail2ban, but with crowdsourced lists on top.
-
This is the way. Layer 3 separation for services you wish to access outside of the home network and the rest of your stuff, with a VPN endpoint exposed for remote access.
It may be overkill, but I have several VLANs for specific traffic:
- DMZ - for Wireguard (and if I ever want to stand up a Honeypot)
- Services - *arr stack, some Kubes things for remote development
- IoT - any smart things like thermostat, home assistant, etc
- Trusted - primary at home network for laptops, HTPCs, etc
There are two new additions: a ext-vpn VLAN and a egress-vpn VLAN. I spun up a VM that's dual homed running its own Wireguard/OpenVPN client on the egress side, serving DHCP on the ext-vpn side. The latter has its own wireless ssid so that anyone who connects to it is automatically on a VPN into a non-US country.
-
IOT botnets are a thing. And if someone wanted to fire sell the US, all the vulnerable home networks would be on the table too. Great for a bit if extra chaos.
-
I agree with WG however I need https for a few locally hosted items like actual budget so I have that through nginx proxy manager. I was debating adding Authelia in front with some of my others (audiobook shelf, home assistant and music assistant) as sometimes I disconnect from my home network and forget to reconnect.
-
will do, thanks
-
Caddy only allows private IP ranges
Do you mind telling me more about this? How does that work; a VPN?
-
-
check
-
check
-
check
-
I saw someone else recommend crowdsec. I'll look into it, thanks
if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of “if it’s compromised, they’re not in your house”.
I've heard this mentioned before but I don't really understand how this works in practice. If the VPS was compromised, couldn't they use the VPN to then connect to my home?
-
-
I've seen a bunch of people recommend Authelia. Do you mind if I ask why you went with it over other software? I only went with authentik because I found a tutorial on it first
-
With Wireguard there's really no reason.
Well, that's kinda of a personal choice. If somebody needs to have services accessible by someone else besides him, that service can't be behind a VPN (let's face the truth: we know that we can't ask all out relatives and friends to use a VPN).
-
Sure, so I use Caddy as a reverse proxy for all my subdomains, the public ones direct straight to whatever service(s) are on IP:port etc, then the private ones only allow private IP ranges of which one is my VPN subnet, therefore only allowing LAN and VPN access. I then also have a section for each of the private subdomains with Authelia authentication which is omitted here:
(allowed) { @allowed client_ip 192.168.1.0/24 192.168.10.0/24 192.168.20.0/28 } sub.domain.com { import allowed handle @allowed { reverse_proxy 192.168.80.8:8080 } handle { abort } }
