Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
As others have already said, set up a VPN like wireguard, connect to the VPN and then SSH to the server. No need to open ports for SSH.
I do have port 22 open on my network, but it's forwarded to an SSH tarpit: https://github.com/skeeto/endlessh
But Tailscale is Wireguard under the hood.
I have wireguard for other purposes but I also have ssh open on a different port. I don't much understand the argument of exchanging ssh for wireguard. In the end, we're just trading an attack vector for another.
My ssh only allows connections from my user. If I'm using password auth, I also request a 2FA.
Tail scale is also a good idea but I don't like having my control plane under someone else's control.
There is quite a significant difference. An ssh server - even when running on a non-default port - is easily detectable by scanning for it. With a properly configured Wireguard setup this is not the case. As someone scanning from the outside, it is impossible to tell if there is Wireguard listening or not, since it simply won't send any reply to you if you don't have the correct key. Since it uses UDP it isn't even possible to tell if there is any service running on a given UDP port.
The reason a VPN is better to expose than SSH, is the feedback.
If someone tries connecting to your SSH with the wrong key or password, they get a nice and clear permission denied. They now know that you have SSH, and which version. Which might allow them to find a vulnerability.
If someone connects to your wireguard with the wrong key, they get zero response. Exactly as if the port had not been open in the first place. They have no additional information, and they don't even know that the port was even open.
Try running your public IP through shodan.io, and see what ports and services are discovered.
So just run headscale then.
Or nebula
If someone finds a 0day in your SSH server and goes on drive-by attacking the whole internet you're toast.
Already moving off port 22 reduces much of the risk, essentially reducing the attack surface for drive-by attacks to zero while still being susceptible to targeted attacks -- that is, still susceptible to attackers bothering to scan the whole range. Anything that makes you unscannable (VPN, portknockd, doesn't matter) mitigates that. Even state-level actors would have to be quite determined to get through that one.
Yes it's security through obscurity. Yes it's a good idea: There's a difference between hiding your unlocked front door and hiding your military-grade front door lock, one of them is silly the other isn't.