this post was submitted on 24 Jul 2024
118 points (99.2% liked)

Selfhosted

60048 readers
715 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
118
Good guides for the security you need to set up for self hosting? (programming.dev)
submitted 2 years ago* (last edited 2 years ago) by JackbyDev@programming.dev to c/selfhosted@lemmy.world
24 comments fedilink hide all child comments
 

Opening your router to the Internet is risky. Are there any guides for the basics to keep things secure? Things like setting up fail2ban? My concern is that I'll forget something obvious.

Edit: I haven't had much of a chance to read through everything yet, but I really appreciate all these long, detailed responses. ❤️ Thanks folks!

you are viewing a single comment's thread
view the rest of the comments
[–] BearOfaTime@lemm.ee 2 points 2 years ago* (last edited 2 years ago) (1 children)

I think there's a lot of risk exposing your home IP with services behind it. Last time I did it, within minutes the router got slammed with requests trying to break into services. It actually impacted router performance.

Great writeup!

[–] TCB13@lemmy.world 1 points 2 years ago* (last edited 2 years ago)

That looks like a DDoS, for instance that doesn't ever happen on my ISP as they have some kind of DDoS protection running akin to what we would see on a decent cloud provider. Not sure of what tech they're using, but there's for certainly some kind of rate limiting there.

  1. Isolate the server from your main network as much as possible. If possible have then on a different public IP either using a VLAN or better yet with an entire physical network just for that - avoids VLAN hopping attacks and DDoS attacks to the server that will also take your internet down;

In my case I can simply have a bridged setup where my Internet router get's one public IP and the exposed services get another / different public IP. If there's ever a DDoS, the server might be hammered with request and go down but unless they exhaust my full bandwidth my home network won't be affected.

Another advantage of having a bridged setup with multiple IPs is that when there's a DDoS/bruteforce then your router won't have to process all the requests coming in, they'll get dispatched directly to your server without wasting your router's CPU.

As we can see this thing about exposing IPs depends on very specific implementation detail of your ISP or your setup so... it may or may not be dangerous.