this post was submitted on 29 Jan 2024
48 points (98.0% liked)

Selfhosted

39937 readers
339 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello peoples,

I am looking for tips on how to make my self-hosted setup as safe as possible.

Some background: I started self-hosting some services about a year ago, using an old lenovo thin client. It's plenty powerful for what I'm asking it to do, and it's not too loud. Hardware wise I am not expecting to change things up any time soon.

I am not expecting anyone to take the time to baby me through the process, I will be more than happy with some links to good articles and the like. My main problem is that there's so much information out there, I just don't know where to start or what to trust.

Anyways, thank you for reading.

N

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 9 months ago* (last edited 9 months ago)

Your basic requirements are:

  • Some kind of domain / subdomain payed or free;
  • Preferably Home ISP that has provides public IP addresses - no CGNAT BS;
  • Ideally a static IP at home, but you can do just fine with a dynamic DNS service such as https://freedns.afraid.org/.

Quick setup guide and checklist:

  1. Create your subdomain for the dynamic DNS service https://freedns.afraid.org/ and install the daemon on the server - will update your domain with your dynamic IP when it changes;
  2. List what ports you need remote access to;
  3. Isolate the server from your main network as much as possible. If possible have then on a different public IP either using a VLAN or better yet with an entire physical network just for that - avoids VLAN hopping attacks and DDoS attacks to the server that will also take your internet down;
  4. If you're using VLANs then configure your switch properly. Decent switches allows you to restrict the WebUI to a certain VLAN / physical port - this will make sure if your server is hacked they won't be able to access the Switch's UI and reconfigure their own port to access the entire network. Note that cheap TP-Link switches usually don't have a way to specify this;
  5. Configure your ISP router to assign a static local IP to the server and port forward what's supposed to be exposed to the internet to the server;
  6. Only expose required services (nginx, game server, program x) to the Internet us. Everything else such as SSH, configuration interfaces and whatnot can be moved to another private network and/or a WireGuard VPN you can connect to when you want to manage the server;
  7. Use custom ports with 5 digits for everything - something like 23901 (up to 65535) to make your service(s) harder to find;
  8. Disable IPv6? Might be easier than dealing with a dual stack firewall and/or other complexities;
  9. Use nftables / iptables / another firewall and set it to drop everything but those ports you need for services and management VPN access to work - 10 minute guide;
  10. Configure nftables to only allow traffic coming from public IP addresses (IPs outside your home network IP / VPN range) to the Wireguard or required services port - this will protect your server if by some mistake the router starts forwarding more traffic from the internet to the server than it should;
  11. Configure nftables to restrict what countries are allowed to access your server. Most likely you only need to allow incoming connections from your country and more details here.

Realistically speaking if you're doing this just for a few friends why not require them to access the server through WireGuard VPN? This will reduce the risk a LOT and won't probably impact the performance. Here a decent setup guide and you might use this GUI to add/remove clients easily.

Don't be afraid to expose the Wireguard port because if someone tried to connect and they don't authenticate with the right key the server will silently drop the packets.

Now if your ISP doesn't provide you with a public IP / port forwarding abilities you may want to read this in order to find why you should avoid Cloudflare tunnels and how to setup and alternative / more private solution.