this post was submitted on 02 Apr 2025
123 points (98.4% liked)

Selfhosted

60587 readers
1425 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Inspired by this comment to try to learn what I'm missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

you are viewing a single comment's thread
view the rest of the comments
[–] AkatsukiLevi@lemmy.world 35 points 1 year ago (5 children)

Disable password authentication on SSH

Enable firewall and block all ports you're not using(most firewalls do this by default)

Switch to a LTS kernel(not security related, but it keeps things going smooth... Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)

Use Caddy to proxy to services instead of directly exposing them out

HTTPS for web stuff(Caddy does it automatically)

[–] ZonenRanslite@feddit.org 21 points 1 year ago (1 children)
[–] ocean@lemmy.selfhostcat.com 2 points 1 year ago (1 children)
[–] InvertedParallax@lemm.ee 9 points 1 year ago (2 children)

There are ip lists that let you iptables drop all traffic from China and Russia.

Strongly recommend.

[–] ocean@lemmy.selfhostcat.com 5 points 1 year ago (1 children)

I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…

Good advice outside of this use case! :)

[–] InvertedParallax@lemm.ee 4 points 1 year ago

Yeah, there were other countries to ban, but those 2 cut my attacks down 90%.

Also consider a honeypot that triggers when anyone tries to ssh it at all.

[–] lka1988@lemmy.dbzer0.com 2 points 1 year ago* (last edited 1 year ago) (1 children)

My UDM has this capability. I've blocked quite a few countries that it logged as trying to get into my network. Great little internet cylinder.

[–] InvertedParallax@lemm.ee 1 points 1 year ago

Have the rack mounted one, I usually roll my own router but I'm glad to have someone else making sure I don't do anything stupid for security.

It's not perfect, but it's peace of mind.

[–] Shimitar@downonthestreet.eu 10 points 1 year ago (1 children)

This, but I prefer nginx.

And no real need for tailscale or cloudflare. If you do not like to depend on a third party service, either port forward and ddns or an external vps+wire guard if you have gcnat

[–] szszl@sh.itjust.works 1 points 1 year ago (1 children)

This is a valid solution but honestly how is using VPS not depending on third party?

[–] Shimitar@downonthestreet.eu 1 points 1 year ago

It is, but you are free to switch at any time provider, there is no technological lock in like with cloudflare or tailscale (i know there is a free self hostable version, not talking about that).

So just rent a new one and switch your wireguard there.

[–] JustEnoughDucks@feddit.nl 8 points 1 year ago

Dropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as "it doesn't exist" rather than an obsticle to try exploits on. Not sure if that is true though.

For me:

  • ssh server only with keys

  • absolutely no ssh forwarding, only available to local network via firewall rules

  • docker socket proxy for everything that needs socket access

  • drop non-used ports, limit IPs for local-only services (e.g. paperless)

  • crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)

  • Authelia over everything that doesn't break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)

  • proper umask rules on all docker directories (or as much as possible)

  • main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical

  • full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren't in memory (makes a startup script with a password needed, so no automated startups for me)

For more info, I followed a lot of stuff on: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

[–] szszl@sh.itjust.works 3 points 1 year ago

Caddy or any other (reputable) reverse proxy. I think Nginx Proxy Manager would be best for beginner thanks to GUI.