this post was submitted on 25 Jun 2023
2 points (100.0% liked)

Selfhosted

40198 readers
547 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Any guides on how to host at home? I'm always afraid that opening ports in my home router means taking the heavy risk of being hacked. Does using something like CloudFlare help? I am a complete beginner.

Edit: Thanks for all the great response! They are very helpful.

top 7 comments
sorted by: hot top controversial new old
[–] Invalid@kbin.social 2 points 1 year ago

Cloudflare yes. Even if you aren’t using tunnels it will help obfuscate your real ip. If you are hosting personal services you can also block access from countries you don’t expect to access them from.

Also it seems most bots scanning domains are checking www and the base domain url. I recommend pointing those at a vps or something like GitHub or substack if you don’t need it for something else.

Use a reverse proxy that 404s anything besides the subdomains you are actually using. Always use wildcard certs to avoid exposing subdomains and obfuscate your subdomains for common services to make them hard to guess.

Isolate your servers from the rest of your network with vlans if possible.

You will never be fully immune so all you can do is add more layers and roadblocks.

[–] jadedctrl@sopuli.xyz 1 points 1 year ago* (last edited 1 year ago) (1 children)

From what I understand, opening a port isn’t a risk in and of itself — it’s only a risk if the software using the port is insecure! So long as you use reliable software and take care to configure things properly (following through with instructions from a site like ArchWiki or the official documentation helps), you’re good.

CloudFlare is more for DDOS protection, which you almost certainly don’t need . You could always set up DDOS protection later on, if the need ever arises.

Yeah, unless you're worried about people targeting your IP specifically, using a reverse proxy service seems like more complexity without more security. Not opening ports, and especially not opening well known ports, is just superstition. It just changes where somebody connects to the service without limiting access to or securing the service.

[–] terribleplan@lemmy.nrd.li 1 points 1 year ago* (last edited 1 year ago)

There are ways to host things from home without opening ports in your router at all, this usually involves running something that calls/tunnels out of your network and back to some service and accepts incoming connections and sends them "baskward" over that connection. Cloudflare offers something called Tunnel, ngrok does something similar (though mainly aimed at development and not production hosting), and you can even host something yourself using something like frp (which is what I use, even for the Lemmy instance I am writing this from).

I haven't looked too closely at it, but there is an awesome-tunneling page someone put together that goes over these options and more.

Let me know if you want a bit more details on these options or specifics of how I've set up frp.

Assuming you use Docker or some kind of container runtime I found a list of best practices: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

[–] midas@ymmel.nl 0 points 1 year ago* (last edited 1 year ago) (1 children)

First you've got to determine where threats can come from, then which surfaces are vulnerable and eventually the reach. In short what I mean:

SSH port (default 22) is high on the threat encounter level. Lots of bots try to scan every host they can find for an open SSH port. The risk is high because this is a doorway to your network. There's honestly no good reason to have port 22 open to your home. Get tailscale vpn. There are alternatives, I use tailscale, it's great.

When youre hosting apps, they can also be vulnerable. Keep them updated and you'll mostly be fine. There are levels of security. Super super secure is creating seperate networks for these apps so they can't access others. Bit much imo. Use non-rooted docker, enough of a sandbox.

In the end you're a small fish in a big pond, not saying you should be a cowboy but with a few decent measures you should be OK.

Tl;dr

  • don't open port 22
  • use a VPN (tailscale)
  • update apps
  • non-rooted docker
[–] iliketurtles@lemmy.world 0 points 1 year ago

What's wrong with exposing port 22? I have password authentication disabled, ssh keys only. Isn't that secure enough?