this post was submitted on 02 Apr 2025
123 points (98.4% liked)

Selfhosted

60587 readers
1425 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Inspired by this comment to try to learn what I'm missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

you are viewing a single comment's thread
view the rest of the comments
[–] InvertedParallax@lemm.ee 9 points 1 year ago (2 children)

There are ip lists that let you iptables drop all traffic from China and Russia.

Strongly recommend.

[–] ocean@lemmy.selfhostcat.com 5 points 1 year ago (1 children)

I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…

Good advice outside of this use case! :)

[–] InvertedParallax@lemm.ee 4 points 1 year ago

Yeah, there were other countries to ban, but those 2 cut my attacks down 90%.

Also consider a honeypot that triggers when anyone tries to ssh it at all.

[–] lka1988@lemmy.dbzer0.com 2 points 1 year ago* (last edited 1 year ago) (1 children)

My UDM has this capability. I've blocked quite a few countries that it logged as trying to get into my network. Great little internet cylinder.

[–] InvertedParallax@lemm.ee 1 points 1 year ago

Have the rack mounted one, I usually roll my own router but I'm glad to have someone else making sure I don't do anything stupid for security.

It's not perfect, but it's peace of mind.