If your SSH is using key authentication and you don't have anything silly as an attack vector, you should be grand.
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
People who ho get compromised are the ones who expose a password authentication service with a short memorable password
Of course security comes with layers, and if you're not comfortable hosting services publically, use a VPN.
However, 3 simple rules go a long way:
-
Treat any machine or service on a local network as if they were publically accesible. That will prevent you from accidentally leaving the auth off, or leaving the weak/default passwords in place.
-
Install services in a way that they are easy to patch. For example, prefer phpmyadmin from debian repo instead of just copy pasting the latest official release in the www folder. If you absolutely need the latest release, try a container maintained by a reasonable adult. (No offense to the handful of kids I've known providing a solid code, knowledge and bugreports for the general public!)
-
Use unattended-upgrades, or an alternative auto update mechanism on rhel based distros, if you don't want to become a fulltime sysadmin. The increased security is absolutely worth the very occasional breakage.
-
You and your hardware are your worst enemies. There are tons of giudes on what a proper backup should look like, but don't let that discourage you. Some backup is always better than NO backup. Even if it's just a copy of critical files on an external usb drive. You can always go crazy later, and use snapshotting abilities of your filesystem (btrfs, zfs), build a separate backupserver, move it to a different physical location... sky really is the limit here.
If you do it right you shouldn't get hacked. Even if you do you can keep good immutable backups so you can restore. Also make sure you monitor everything for bad behavior or red flags.
Not my experience so far with my single service I've been running for a year. It's making me even think of opening up even more stuff.
I've been self hosting for 2 or 3 years and haven't been hacked, though I fully expect it to happen eventually(especially if I start posting my blog in places). I'd suggest self hosting a VPN to get into your home network and not making your apps accessible via the internet unless 100% necessary. I also use docker containers to minimize the apps access to my full system. Best of luck!
Yeah na, put your home services in Tailscale, and for your VPS services set up the firewall for HTTP, HTTPS and SSH only, no root login, use keys, and run fail2ban to make hacking your SSH expensive. You're a much smaller target than you think - really it's just bots knocking on your door and they don't have a profit motive for a DDOS.
From your description, I'd have the website on a VPS, and Immich at home behind TailScale. Job's a goodun.
Just changing the SSH port to non standard port would greatly reduce that risk. Disable root login and password login, use VLANs and containers whenever possible, update your services regularly and you will be mostly fine
It depends on what your level of confidence and paranoia is. Things on the Internet get scanned constantly, I actually get routine reports from one of them that I noticed in the logs and hit them up via an associated website. Just take it as an expected that someone out there is going to try and see if admin/password gets into some login screen if it's facing the web.
For the most part, so long as you keep things updated and use reputable and maintained software for your system the larger risk is going to come from someone clicking a link in the wrong email than from someone haxxoring in from the public internet.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters | More Letters |
---|---|
CGNAT | Carrier-Grade NAT |
HTTP | Hypertext Transfer Protocol, the Web |
HTTPS | HTTP over SSL |
IP | Internet Protocol |
NAS | Network-Attached Storage |
NAT | Network Address Translation |
NFS | Network File System, a Unix-based file-sharing protocol known for performance and efficiency |
Plex | Brand of media server package |
SSH | Secure Shell for remote terminal access |
SSL | Secure Sockets Layer, for transparent encryption |
TLS | Transport Layer Security, supersedes SSL |
VPN | Virtual Private Network |
VPS | Virtual Private Server (opposed to shared hosting) |
nginx | Popular HTTP server |
13 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #832 for this sub, first seen 26th Jun 2024, 10:25] [FAQ] [Full list] [Contact] [Source code]
Can you (or a human) expand NPM, presumably not the Node Package Manager?