this post was submitted on 15 Apr 2026
43 points (100.0% liked)

Selfhosted

60093 readers
933 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 7 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
43
Question for Reasonable Security in New Server Setup (lemmy.today)
submitted 2 months ago by loopy@lemmy.today to c/selfhosted@lemmy.world
16 comments fedilink hide all child comments
 

I’m setting up a new server and am planning to try applications such as Jellyfin, Baikal, Nextcloud, Syncthing, Immich, Home Assistant, SearXNG, CryptPad, and possibly Element/Synapse if my little pi4 can handle it.

I’ll probably only have three users, so I’m hoping to fit a fair amount on my pi4 (8GB RAM), but will add mini PC if I need to. I do not plan on making any service publicly available without logging in as a user on my Yunohost server. I will eventually switch to a Docker setup, but for now the Yunohost debian setup is much more user-friendly for me, and everything has been pretty functional as-is.

I’m mostly concerned for a baseline level of security. One user suggested:

  • patch/upgrade your kernel and services regularly
  • run a hardened kernel with stack protection and address space randomization
  • Put a firewall between you and the internet with only minimal ports open
  • Scan your machine and ensure no extra ports are open
  • Disable/remove every device driver the kernel has that you aren't using
  • Remove all software on the device that isn't in active use or part of your debugging toolset, and disable all features of services you don't need.
  • Add an extra trustworthy layer of authorization to nextcloud before you can talk to PhP
  • Disable root ssh access completely
  • Disable user ssh access except for via ssh key
  • Encrypt the most critical data client side, so access to the server doesn't give access to the data (e.g. my passwd database is in nextcloud, but the key to unlock it isn't)
  • Use 2-factor authentication
  • Only allow access over VPN
  • Firewall whitelist only networks you know you and your users might be accessing from. No reason why a host on a random ISP from Kazachstan should be allowed to even attempt a login.

Plan: From that, I plan to take the suggestion for

  • disabling root SSH and only use the authentication key setup
  • change the default SSH port, port forward through a VPN service
  • use encrypted backups on client side (phones and computers)
  • Yunohost to my knowledge uses nftables built-in for a firewall, so I can default block everything and whitelist the services I need

Yunohost does not yet support 2FA login, but suggests to disable the web api if it will not be used, to decrease attack surface.

Questions:

  1. Would security for ports be sufficient to use a VPN service like Wireguard or Proton VPN and enable port forwarding? Or simply disable unused ports?

  2. Should I disable ports that Yunohost defaults on? These are: TCP ports 22, 25 53, 80, 443, 587, 993, 5222, 6269 and UDP ports 53, 1900, 5353. I am new to network stuff but understand that 22 is the default SSH until I were to change it, 80 is needed for HTTP, 443 is needed for HTTPS, and Element would probably need 5222.

  3. Is blocking everything via firewall and only whitelisting services I use feasible? Is that necessary if running the whole thing with port forwarding through the VPN? I’m concerned that I won’t be able to manually figure out every service my applications need.

I understand there is a balance between security and compatibility/usability, but I would like to have a reasonable amount of confidence that my files and photos will not be easily taken. Any insight is greatly appreciated.

you are viewing a single comment's thread
view the rest of the comments
[–] unitedwithme@lemmy.today 3 points 2 months ago (1 children)

I think Yunohost integrates fail2ban, too.

[–] irmadlad@lemmy.world 1 points 2 months ago

It's been quite a while since I've messed with Yunohost, so memory is a bit sketchy.