this post was submitted on 29 Jan 2024
48 points (98.0% liked)

Selfhosted

39937 readers
339 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello peoples,

I am looking for tips on how to make my self-hosted setup as safe as possible.

Some background: I started self-hosting some services about a year ago, using an old lenovo thin client. It's plenty powerful for what I'm asking it to do, and it's not too loud. Hardware wise I am not expecting to change things up any time soon.

I am not expecting anyone to take the time to baby me through the process, I will be more than happy with some links to good articles and the like. My main problem is that there's so much information out there, I just don't know where to start or what to trust.

Anyways, thank you for reading.

N

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 9 months ago* (last edited 9 months ago) (1 children)

Port Forwarding – as someone mentioned already, port forwarding raw internet traffic to a server is probably a bad idea based on the information given. Especially since it isn’t strictly necessary.

I don't mean to take issue with you specifically, but I see this stated in this community a lot.

For newbies I can agree with the sentiment "generally" - but this community seems to have gotten into some weird cargo-cult style thinking about this. "Port forwarding" is not a bad idea end of discussion. It's a bad idea to expose a service if you haven't taken any security precautions for on a system that is not being maintained. But exposing a wireguard service on a system which you keep up-to-date is not inherently a bad thing. Bonus points if VPN is all it does and has restricted local accounts.

In fact of all the services homegamers talk about running in their homelab wireguard is one of the safest to expose to the internet. It has no "well-known port" so it's difficult to scan for. It uses UDP which is also difficult to scan for. It has great community support so there will be security patches. It's very difficult to configure in an insecure way (I can't even think of how one can). And it requires public/private key auth rather than allowing user-generated passwords. They don't even allow you to pick insecure encryption algorithms like other VPNs do. It's a great choice for a home VPN.

[–] [email protected] 3 points 9 months ago (1 children)

You make a great point. I really shouldn't contribute to the boogeyman-ification of port forwarding.

I certainly agree there is nothing inherently wrong or dangerous with port forwarding in and of itself. It's like saying a hammer is bad. Not true in the slightest! A newbie swinging it around like there's no tomorrow might smack their fingers a few times, but that's no fault of hammer :)

Port forwarding is a tool, and is great/necessary for many jobs. For my use case I love that Wireguard offers a great alternative that: completes my goal, forces the use of keys, and makes it easy to do so.

[–] [email protected] 3 points 9 months ago (1 children)

Glad you didn't take my comment as being "aggressive" since it certainly wasn't meant to be. :-)

Wireguard is a game-changer to me. Any other VPN I've tried to setup makes the user make too many decisions that require a fair amount of knowledge. Just by making good decisions on your behalf and simplifying the configuration they've done a great job of helping to secure the internet. An often overlooked piece of security is that "making it easier to do something the right way is good for security."

[–] [email protected] 3 points 9 months ago

Right!! Just like anything there's a trade-off.

Glad you phrased the well-intentioned (and fair) critique in a kind way! I love it when there's good discourse around these topics