miau

joined 1 year ago
[–] miau@lemmy.sdf.org 2 points 2 weeks ago

Wow, thats very, very nice. I didnt know this even existed.

But I suppose if it had widespread support it would be the perfect solution.

Firefox mobile not supporting it might be a dealbreaker though, since it is the browser I use and the one I persuaded all my friends and family to switch to...

But this is an incredibly interesting technology and I will surely look into implementing at least partially if that works.

Thanks a lot for sharing!

[–] miau@lemmy.sdf.org 2 points 2 weeks ago

I didnt mention on my original post but I do have a virtual machine on gcp, which I use to run mongodb. I didnt mention it because I am not too concerned with it, but mostly it follows the same practices, with the exception being that ssh is open and it has no private data in it.

But I suppose I could do something similiar to what you mentioned. The ideia of having and eating the cake is very nice. And if something goes wrong I could turn of public access and have the vpn still working.

I will consider implementing something like that as well, thanks a lot for sharing your thoughts!

[–] miau@lemmy.sdf.org 2 points 2 weeks ago

Yes absolutely. For work most of my clients use cloudflare's different services so I understand they have credibility.

For me though, part of the reason I self host is to get away from some big tech companies' grasp. But I understand I am a bit extreme at times.

So thanks for opening my mind and pointing me to that very interesting discussion, as well as for sharing your setup, it sure seems to be very sound security wise.

[–] miau@lemmy.sdf.org 3 points 2 weeks ago

Thats a good point. Maybe I can get away with just temporary file sharing. So when someone wants something I can upload it to the server and send a link. I bet even nextcloud could do that.

Still way less scary then having everything on the server all the time

[–] miau@lemmy.sdf.org 3 points 2 weeks ago (1 children)

Id like to know as well. I definetely dont want to be the first person of that story tough

Ive heard of someone who exposed the docker management port on the internet and woke up to malware running on their server. But thats of course not the same as web services.

[–] miau@lemmy.sdf.org 1 points 2 weeks ago

Oh, now I get what you mean, thanks for the explanation

Yeah it makes sense, I had originally gone with onedrive for the much cheaper price but I will take a look into s3 compatible storage and consider migrating in the future.

[–] miau@lemmy.sdf.org 4 points 2 weeks ago (2 children)

Thanks for your reply!

Suggestion 1 definetely does make a lot of sense and I will be doing exactly that asap. Its something I didnt think through before but that would make me much more in peace.

Suggestions 2-4 sound very reasonable, I have indeed searched for a way to self host a waf but didnt find much info. My only only concern with your points is... Cloudflare. From my understanding that would indeed add a lot of security to the whole setup but they would then be able to see everything going through my network, is that right?

[–] miau@lemmy.sdf.org 6 points 2 weeks ago (2 children)

Been there, done that lol, my ISP doesnt change my IP half as much as I should like, and I renew my certs half as often as they deserve.

Seriously though, I had certs expire twice until I finally decided to get this setup properly.

[–] miau@lemmy.sdf.org 1 points 2 weeks ago (3 children)

I see, I appreciate you sharing your knowledge on the matter.

Yeah I thoght about the spike in size, which I would definetely notice because the amount of data is pretty stable and I have limited cloud storage.

Regarding your last point, I currently have everything under a user account: the data I am backing up, the applications and restic itself all run on the same user account. Would it be a good ideia to run restic as root? Or as a different service account?

[–] miau@lemmy.sdf.org 1 points 2 weeks ago (3 children)

Thanks for replying!

I do use dns challanges for renewing my certs. But I use port 443 for application data, not for certs.

Is a vpn always safer then a reverse proxy? Do you use wireguard or do you have any other options worth looking into?

[–] miau@lemmy.sdf.org 1 points 2 weeks ago (5 children)

I don't know much about ransomware but thats what got me concerned. I always assumed if I were to be infected, restic would just create a new snapshot for the files and Id be able to restore after nuking the server.

[–] miau@lemmy.sdf.org 2 points 2 weeks ago

Thanks a lot for your input. I honestly had not considered this possibility.

Others in the post recommended removing those important files from the public facing server so that in the case of an attack they wouldnt be exposed. So I will try and follow this recommendation asap.

But your answer still applies to everything else I will be hosting so I am concerned. I had no idea ransomware was this smart. I will research more about this topic, but basically if I access a file from two different servers and its fine it means the file is free from infection?

 

I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has "--net host", although the containers can access host services because they have the option "--map-guest-addr" set, so I don't know if this is any safer then "--net host".

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don't think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don't really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

view more: next ›