this post was submitted on 20 May 2024
59 points (100.0% liked)
Selfhosted
60451 readers
1002 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
What you probably want is a dmz or red/green localnets. A reverse proxy (as others have mentioned) like haproxy or nginx) are extremely unlikely to, themselves, be hacked. But they don't really add security, either.
What does add security is to have a router with a firewall, with one or more red networks, and a green network.
The red network has all of your public-facing servers. They have virtually no external access, and no internal access except to respond. It's even good to have a rule on the router that you can turn on/off that blocks all outbound connections from the red network to the external world. To upgrade a server, turn off the rule, upgrade, and then turn the rule on again. The router only forwards inbound connections from the internet on a specific port, and routes them to the server/servers on the red network(s) on a (possibly different) specific port.
Most ownage-style hacks involve (once compromised) either calling home (can't if the server is not allowed outbound connections) or opening an additional port (who cares, the router will never forward anything to that port).
Then, back up your important info, and keep multiple copies of that info - daily for a week, monthly for a few months, and yearly.