this post was submitted on 09 Feb 2025

125 points (97.7% liked)

Selfhosted

46450 readers

503 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

125

How do you all handle security and monitoring for your publicly accessible services? (lemmy.world)

submitted 2 months ago* (last edited 2 months ago) by [email protected] to c/[email protected]

70 comments fedilink hide all child comments

This is a continuation of my other post

I now have homeassistant, immich, and authentik docker containers exposed to the open internet. Homeassistant has built in 2FA and authentik is being used as the authentication for immich which supports 2FA. I went ahead and blocked connections from every country except for my own via cloudlfare (I'm aware this does almost nothing but I feel better about it).

At the moment, if my machine became compromised, I wouldn't know. How do I monitor these docker containers? What's a good way to block IPs based on failed login attempts? Is there a tool that could alert me if my machine was compromised? Any recommendations?

EDIT: Oh, and if you have any recommendations for settings I should change in the cloudflare dashboard, that would be great too; there's a ton of options in there and a lot of them are defaulted to "off"

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 8 points 2 months ago (1 children)

I've tried different approaches with fail2ban, crowdsec, VPNs, etc. What I settled on is to divide the data of my services in two categories: confidential and "I can live with it leaking".

The ones that host confidential data is behind a VPN and has some basic monitoring on them.

The ones that are out in the public are behind a WAF from cloudflare with pretty restrictive rules.

Yes, cloudflare suck etc., but the value of stopping potential attacks before they reach your services is hard to match.

Just keep in mind: you need layers of different security measures to protect your services (such as backups, control of network traffic, monitoring and detection, and so on).

[–] [email protected] 4 points 2 months ago (1 children)

has some basic monitoring on them.

What monitoring software are you using?

I feel like the other measures you talked about (backups, condom of network traffic, etc) I'm doing ok on. Its really just the monitoring where I'm stuck. There's so many options

[–] [email protected] 3 points 2 months ago

There are so many monitoring tools with various degrees of complicated setup / configuration or the amount of information you get. And honestly, I've looked into various tools: checkmk, monit, Prometheus... And realised that I rarely look into that information anyway. Of all "fancy" tools, I liked the ease of Netdata to set up and the amount of information that you get. However, beware that their in the process to make their free / homelad offering worse. I've been eyeing beszel and don't forget CLI based tools that are avaible such as atop, btop, htop or glances.

If you want to delve deeper into the rabbit hole of monitoring, I can recommend you to read this article below: https://matduggan.com/were-all-doing-metrics-wrong/

[–] [email protected] 7 points 2 months ago* (last edited 2 months ago) (1 children)

Wazuh

Active responses are like fail2ban but better

[–] [email protected] 2 points 2 months ago

I'll look into it, thank you

[–] [email protected] 18 points 2 months ago (1 children)

Check out crowdsec. Like fail2ban, but with crowdsourced lists on top.

[–] [email protected] 3 points 2 months ago

will do, thanks

[–] [email protected] 31 points 2 months ago (3 children)

By not making them publicly accessible. With Wireguard there's really no reason.

Setup service to be active on a subnet, enable Wireguard to VPN into the subnet and use the services.

[–] [email protected] 2 points 2 months ago (1 children)

Yeah, I'm not gonna tell the 50 users of my plex server to set up wireguard on their devices so they can request movies and TV series on my overseer, when I can instead just use NPM to make it publically accessible with a password prompt

[–] [email protected] 3 points 2 months ago

Your use case, and OPs, are completely different scenarios. I can't tell if you're being purposefully disingenuous or just flippantly stupid.

[–] [email protected] 20 points 2 months ago (2 children)

With Wireguard there's really no reason.

Well, that's kinda of a personal choice. If somebody needs to have services accessible by someone else besides him, that service can't be behind a VPN (let's face the truth: we know that we can't ask all out relatives and friends to use a VPN).

[–] [email protected] -3 points 2 months ago* (last edited 2 months ago) (1 children)

If somebody needs to have services accessible by someone else besides him, that service can’t be behind a VPN

Again, this is the reason VPNs exist. If that person needs access, then setup Wireguard...

It's like saying you don't need a front gate with an access code because then you would have to give out your own access code. But I mean, the lock has the ability to setup more access codes. And you're saying the only viable option is the leave the gate open and hire a guard to manage access. It's just... Weird and wrong.

[–] [email protected] 1 points 2 months ago (1 children)

Again, this is the reason VPS’ exist.

What? What's the difference between a VPS and your home server? You may say that's a good practice to separate things, so maybe have a a VM with public facing services and another with more private stuff reachable only with a VPN. But for something like Nextcloud, it needs to be public (if you're not the only one using it), but it contains personal stuff and then comes the OP request!

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

You may say that’s a good practice to separate things

You're missing the point. VPN isn't about separating anything... I'm not even sure what you mean by that. VPN is the accepted practice here. Unquestionably. You create private services, and for security you only expose them to the least amount of people possible. You authenticate via VPN connections. You only have to maintain a single database of users to access any number of services, even tens of thousands.

OP is specifically talking about hosting local content that they want to protect. VPN is the solution here.

[–] [email protected] 1 points 2 months ago (1 children)

Well...if you edit your post after someone has replied to it at least specify what's you've edited and don't pretend that the answer that somebody else has already given you wasn't about your non edited post!
If you (my mistake) wrote VPS instead of VPN, you can't pretend that I've answered about VPN!
If you can convince your family member and your friends to use a VPN to use your service, that's good for you, and I mean it!
But saying that it's quite impossible to do that, I think that I'm speaking for 99% of the self hoster (is this correct in English? Bah, you got me!)

[–] [email protected] 0 points 2 months ago (2 children)

The entire point of selfhost is to host private services not available to the public. By literal definition, that's allowing only local traffic to connect to your services. It's infinitely more secure. A VPN allows you to extend those services over the clearnet to authorized devices via virtualized networks. You don't have to worry about messing with inbound/outbound ports, or worrying about software failure or misconfigurations accidentally exposing you to the clearnet. You don't have to worry about DDoS, or abuse. Being attacked? Bring down your VPN and that completely shuts down your issue. Your network is completely unreachable by anyone but a local host.

There's simply no room for an argument. VPN is objectively better in all possible situations.

[–] [email protected] 1 points 2 months ago

I didn't know that was the entire point of self hosting. Some people want to self host things for the public, like a website or game server.

There is a program called "yunohost" to simplify this process.

Maybe a VPS is better for website hosting but some people want to self host.

[–] [email protected] 1 points 2 months ago

The entire point of selfhost is to host private services not available to the public
Probably your entire point, a lot of self hosters self host services that family members and friends can reach most of the time without the need of a VPN. This very community is full of examples.

It’s infinitely more secure

I'm with you about that.

There’s simply no room for an argument.

As stated in the other post, I'm sorry about that, I'm here to discuss and learn, if you don't have room for an argument, our discussion ends here.

VPN is objectively better in all possible situations.

Exactly! in all possible situation!!!

[–] [email protected] 5 points 2 months ago (1 children)

There’s also something to be said about some services being cordoned off in a VPN while leaving some public with security. I don’t necessarily want everyone within my full network if all I want is to share one service with them.

[–] [email protected] 2 points 2 months ago (1 children)

For that, you can restrict access to a single service with iptables.

[–] [email protected] 1 points 2 months ago (1 children)

This is effectively the same damn thing with a single exception. If your VPN is down, there's no access to your server. If for whatever reason your firewall is down, there's unrestricted access to your server...

VPN is unquestionably the correct choice 100 times out of 100.

[–] [email protected] 1 points 2 months ago (1 children)

If for whatever reason your firewall is down, there’s unrestricted access to your server…

I don't know what kind of firewall you use, but if my firewall is down there is NO traffic at all passing through!

And by the way, since I've replied to someone that don't want to use VPN because he doesn't want to give access to the whole network, I meant that he could use a VPN AND iptables to restrict the guest access to single services instead of the whole network.

[–] [email protected] 0 points 2 months ago (1 children)

I don’t know what kind of firewall you use, but if my firewall is down there is NO traffic at all passing through!

Only a hardware firewall would do this. If it's software, like implied in your post, no traffic is filtered and all connections are accepted.

VPN is the least amount of work for the most secure setup. There's nothing to even argue, its superior in every way.

[–] [email protected] 1 points 2 months ago

Only a hardware firewall would do this. If it’s software, like implied in your post, no traffic is filtered and all connections are accepted.

Talking abut netfilter, since it manages also the forwardning, it for some strange reason it should crash, NO IP traffic is flowing

VPN is the least amount of work for the most secure setup. There’s nothing to even argue, its superior in every way.

If there's nothing to even argue, then I say goodby to you since I'm here to discuss. All the best!

[–] [email protected] 1 points 2 months ago (3 children)

I agree with WG however I need https for a few locally hosted items like actual budget so I have that through nginx proxy manager. I was debating adding Authelia in front with some of my others (audiobook shelf, home assistant and music assistant) as sometimes I disconnect from my home network and forget to reconnect.

[–] [email protected] 1 points 2 months ago

Why not swap from nginx-proxy-manager to Caddy2, which can handle everything? SSL and reverse_proxy?

[–] [email protected] 1 points 2 months ago (1 children)

There should be an option in your phone VPN setup to reconnect if app X is being used.

[–] [email protected] 1 points 2 months ago

There is. It's called VPN Split Tunneling.

If you want to proxify your connection between you and a service, you enable the split. If you don't care, or want to not use the VPN, then disable it for that application. So it's effectively "proxify all connections to this app," which is the same as your use case.

[–] [email protected] 2 points 2 months ago

Just out of curiosity, why do you disconnect from your home VPN?

[–] [email protected] 4 points 2 months ago* (last edited 2 months ago) (1 children)

So among my services I self host, a few need to be publicly accessible for work. For those I wish to remain private, Caddy only allows private IP ranges, plus then Authelia as auth which is set to 30 days. There is then the login of each service behind Authelia as well. It's as good as it needs to be for my needs.

If I were only self hosting private services, then as others have said, I would put all access through a VPN.

Edit: I should add that of course the private services are then only accessed via VPN to the router (part of the private IP ranges). Caddy as reverse proxy also obfuscates the subdomain names I use.

[–] [email protected] 1 points 2 months ago (1 children)

Caddy only allows private IP ranges

Do you mind telling me more about this? How does that work; a VPN?

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

Sure, so I use Caddy as a reverse proxy for all my subdomains, the public ones direct straight to whatever service(s) are on IP:port etc, then the private ones only allow private IP ranges of which one is my VPN subnet, therefore only allowing LAN and VPN access. I then also have a section for each of the private subdomains with Authelia authentication which is omitted here in the caddyfile example:

(allowed) {
	@allowed client_ip 192.168.1.0/24 192.168.10.0/24 192.168.20.0/28
}

sub.domain.com {
	import allowed
	handle @allowed {
		reverse_proxy 192.168.80.8:8080
	}

	handle {
		abort
	}
}

[–] [email protected] 2 points 2 months ago (1 children)

Some of these you're already doing, but writing a complete* list. *almost garuanteed not to be complete, suggestions welcome

Have everything behind the same reverse proxy, so that you have only one endpoint to worry about. Run it through ssllabs or similar to check your config.
On your reverse proxy, add one or more layers of authentication if possible. Many possibilities here: If one app supports client certificates, while another has limited capabilities, you could probably tie together something where IPs are whitelisted to the ither services based on that certificate auth.
Geoblock all countries you won't be accessing from
crowdsec is pretty nice, this detects/blocks threats. kinda like fail2ban but on steroids.
if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of "if it's compromised, they're not in your house".

lastly consider if these things need to be publically avilable at all. I'm happy with 95% of my services only being available through Tailscale (mesh VPN, paid service with good enough free tier, open source+free alternatives available), and I've got tailscale on all my devices

[–] [email protected] 4 points 2 months ago (1 children)

check
check
check
I saw someone else recommend crowdsec. I'll look into it, thanks

if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of “if it’s compromised, they’re not in your house”.

I've heard this mentioned before but I don't really understand how this works in practice. If the VPS was compromised, couldn't they use the VPN to then connect to my home?

[–] [email protected] 1 points 2 months ago

I set the VPN tunnel from the VPS to deny everything to the internal network by default, then put the services that need to be accessed on the allow list in the firewall. So the VPN endpoint from the VPS can only hit the very specific IPs/ports/protocols that were explicitly allowed. There is still the possibility of a compromise chain of VPS->service->container/VM->hypervisor->internal network access, but I feel comfortable with those layers.

You could also setup an IDS such as Snort to pick up on that exploit traffic between the services and internal VPN endpoint if extra security is necessary on top of fail2ban and log alerts on the VPS.

[–] [email protected] 9 points 2 months ago* (last edited 2 months ago) (2 children)

Auth portal for VPN tunnell -> Authelia -> fail2ban -> VLAN with services only.

ELK stack monitors the LAN. (Including VLAN)

Keep that VLAN segmented. You're good unless you're a DOGE employee, then I'd recommend quite a bit more security.

[–] [email protected] 1 points 2 months ago

I've seen a bunch of people recommend Authelia. Do you mind if I ask why you went with it over other software? I only went with authentik because I found a tutorial on it first

[–] [email protected] 4 points 2 months ago

This is the way. Layer 3 separation for services you wish to access outside of the home network and the rest of your stuff, with a VPN endpoint exposed for remote access.

It may be overkill, but I have several VLANs for specific traffic:

DMZ - for Wireguard (and if I ever want to stand up a Honeypot)
Services - *arr stack, some Kubes things for remote development
IoT - any smart things like thermostat, home assistant, etc
Trusted - primary at home network for laptops, HTPCs, etc

There are two new additions: a ext-vpn VLAN and a egress-vpn VLAN. I spun up a VM that's dual homed running its own Wireguard/OpenVPN client on the egress side, serving DHCP on the ext-vpn side. The latter has its own wireless ssid so that anyone who connects to it is automatically on a VPN into a non-US country.

[–] [email protected] 17 points 2 months ago

I would put this stuff behind VPN.

load more comments