Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Dumb question: why does everyone is so terribly afraid of opening stuff to the internet ? What's the scenario?
Allowing external access to your services means that any misconfiguration or bugs can be exploited to gain control of your machine(s).
Once that happens they can be fucked with, your data stolen, your resources co-opted for someone else’s use, etc. and often times it can be made to look as though whatever bad shit it’s doing is your doing.
So, understand your security posture. You can’t be too careful. Taking over weak or exposed machines is a global industry now.
But you can, in fact, be too careful. Availability is one arm of the security triad.
If whatever complex configuration you have set up to avoid exposing something to the Internet is incompatible with something and what you wanted to do can't be done, or if you look and see that setting all that up would be too hard and don't bother to expose the service at all, then your security posture is incorrect because your service is just as unavailable as if someone else broke it.
At the same time, taking over exposed machines has never been more difficult.
It starts with being used in a botnet. Then your data can be either erased, corrupted or encrypted against ransom.
i've set up servers with static ips in datacenter settings before. the way you know you're online is usually that your cpu activity jumps a few percent from all the incoming ssh traffic from russia and china. i don't want to risk anything happening to my home server.
so fun to look through the ssh log and see hundreds of attempts...
Quick question: If I look through the ssh log and I don't see the hundred of attempts, what could be going on?..
I am not sure lol. perhaps your ssh port isn't exposed to the internet, or maybe the bots are just ignoring you? maybe your hosting provider has some sort of security process to reject those attempts preemptively?
I have no clue
Ignoring ? Nah someone mentionned my ISP might be protecting me uphill.
Are you not actually open to the public internet? Is it running on a nonstandard port? Is it already pwned and something is scrubbing logs?
Non standard port. But aren't secret chinese hack farm scanning wider than just 22 ? I don't know and deep down believe that it's pawned and scrubbing logs.
The resources required to port scan every port on every IP is generally not worth it. AFAIK they tend to stick to lower ports or popular ports. Unless they're intentionally targeting a specific IP or IP range, they're just looking for low hanging fruit.
Low hanging fruits are, in my personal case, pictures of my cats and public domain cultural artefacts.
Industrializing hacking of random servers sounds like a shitty idea at the end of the day...
The ability to generate a bunch of traffic that looks like it's coming from legit, every-day residential IPs is invaluable to disinformation campaigns. If they can get persistence in your network, they can toss it into a bot net which they'll sell access to on the dark web.
A sucker opens insecure services to the open internet every day, that's free real estate to bot farms. Only when the probability of finding them is low enough is it not worth the energy/network costs. I think hosting on non-standard ports is probably correlated with lowering that probability below some threshold where it becomes not worth it...don't quote me, though.
At the end of the day, the rule is not to depend on security by obscurity, but that doesn't mean never use it.
This whole thread (that I shamelessly hijacked) is very informative and allowed me to understand that cybersecurity is in practice a mixture of concrete nerdy log books and vague feeling of being under a threshold of worthiness.
I woke up this morning and there was a faint noise coming from the server: immediately thought "ok that's it, it's pawned and become a node in a vast grid of malicious bots"....it was a cron verification of drives
Hah yeah, I've definitely pulled the plug on my router before because I wasn't sure what I was seeing.
I mean, cybersecurity I would consider to be a research field. In practice, yeah, it's a bunch of people just doing their best.
I tend to keep everything inside my network and only expose what I need visible on non standard ports, one of those being a VPN. It's not that I couldn't run these services public facing, it's that the people taking the time to constantly update, configure, and auditing everything full time to head off red team are being paid. I don't need to deal with an attack surface any larger than it needs to be, ain't nobody got time for that.
Missconfigurations allowing bots and shit hacking you. Overblown paranoia mostly if you just take some precautions
Okay thanks for mentionning overblown paranoia, that's what I have.
What kind of exploitable server misconfigurations are we talking about here?? Brute forcing won't work because fail2ban, right? I'm a noob and deep down I'm convinced that my homeserver is compromised and has beenpart of a bitcoin mining farm for years... Yet, not a single proof...
The very first Linux server I deployed on a VPS was hacked almost immediately because of my ignorance. The bot gained entrance, and they supplanted a miner rig. Now, on a tiny VPS, it's pretty easy to tell if you're running a coin miner because all of the resources will be pegged. However, I got to thinking, on a corporate server, if they did manage to do this, it would almost be undetectable until someone started reviewing logs.
Corporate servers will usually have some degree of SIEM implemented, and at least automatic audit log monitoring.
Aren't zero day very specific? Or maybe it's become a very generic term.
Anyway, I am under the impression that either it's suddenly very simple to hack into EVERYONE because someone zero dayed the wireguard protocol and there a major flow in it, it's a shitshow, for all, for some, just me or nobody, whatever. Or it's a very targeted attack on me personaly, and that's a whole other story and the means to protect my pictures of my cats and my cool public domain movies collection are different (think social engineering). Also port 22 being bombarded by brute force attempts so don't choose a password that's 6 letters thanks.
I KNOW I am missing many things, but still, I don't get it.
React2Shell is exactly the shitshow situation yes. Suddenly we are all at risk. But in this case, I'm sorry to say that my cats' pictures are worthless.
Your point on nginx/wireguard makes me think that it might be better to htaccess through a reverse proxy than relying on a built in login system. For exemple, I should deactivate jellyfin's login and put it behind an htaccess at the proxy's level. Is that completely dumb?
Anyway, I clearly need to research "threat models" and cyber/infosec more. Thank you very much!
I'm paranoid dude, I don't need the whole world judging my awful taste in TV shows!
I set up Jellyseer so my friends can request whatever. Just blame your full collection of My Little Pony and Gilmore girls on that one friend from Finland (unless you're in Finland, and then use Greece).
lol
The first thing I opened to the internet was a SSH server. 28 minutes after opening it, I started getting constant entry attempts.
It’s not just opening stuff to the internet, it’s opening stuff to the internet without any authentication in this case. If you don’t know how that’s bad…….
Yeah sorry I missed the part where it has no authentification whatsoever, that's just open bar.
Authentification + monitoring + fail2ban + ip blacklist