this post was submitted on 09 Feb 2025
125 points (97.7% liked)

Selfhosted

46450 readers
503 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
125
How do you all handle security and monitoring for your publicly accessible services? (lemmy.world)
submitted 2 months ago* (last edited 2 months ago) by [email protected] to c/[email protected]
70 comments fedilink hide all child comments
 

This is a continuation of my other post

I now have homeassistant, immich, and authentik docker containers exposed to the open internet. Homeassistant has built in 2FA and authentik is being used as the authentication for immich which supports 2FA. I went ahead and blocked connections from every country except for my own via cloudlfare (I'm aware this does almost nothing but I feel better about it).

At the moment, if my machine became compromised, I wouldn't know. How do I monitor these docker containers? What's a good way to block IPs based on failed login attempts? Is there a tool that could alert me if my machine was compromised? Any recommendations?

EDIT: Oh, and if you have any recommendations for settings I should change in the cloudflare dashboard, that would be great too; there's a ton of options in there and a lot of them are defaulted to "off"

(page 2) 21 comments
sorted by: hot top controversial new old
[–] [email protected] 10 points 2 months ago (1 children)

We expose about a dozen services to the open web. Haven't bothered with something like Authentik yet, just strong passwords.

We use a solid OPNSense Firewall config with rather fine-grained permissions to allow/forbid traffic to the respective VMs, between the VMs, between VMs and the NAS, and so on.

We also have a wireguard tunnel to home for all the services that don't need to be available on the internet publicly. That one also allows access to the management interface of the firewall.

In OPNSense, you get quite good logging capabilities, should you suspect someone is trying to gain access, you'll be able to read it from there.

I am also considering setting up Prometheus and Grafana for all our services, which could point out some anomalies, though that would not be the main usecase.

Lastly, I also have a server at a hoster for some stuff that is not practical to host at home. The hoster provided a very rudimentary firewall, so I'm using that to only open necessary ports, and then Fail2Ban to insta-ban IPs for a week on the first offense. Have also set it up so they get banned on Cloudflare's side, so before another malicious request ever reaches me.

Have not had any issues, ever.

[–] [email protected] 3 points 2 months ago (1 children)

Have also set it up so they get banned on Cloudflare’s side, so before another malicious request ever reaches me.

How did you end up setting that up?

[–] [email protected] 14 points 2 months ago (1 children)

Fail2ban allows you set different actions for different infringements, as well as multiple ones. So in addition to being put in a "local" jail, the offending IP also gets added to the cloudflare rules (? Is that what its called?) via their API. It's a premade action called "cloudflare-token-multi"

[–] [email protected] 2 points 2 months ago

that's awesome. thanks!

[–] [email protected] 24 points 2 months ago (2 children)

So there is https://en.wikipedia.org/wiki/Fail2ban which helps already to some degree.

But what are you trying to prevent? You have your services in a docker container, hopefully not running as root, which already makes it difficult to break out even if through a bug someone would be able to get access to the docker container.

I mean its not like your stuff is very important for someone to break in like the pentagon, you probably just have some photos from your phone on it, some lights can be switched on and off and some temperatures read.

I'm not trying to say that you should not care about it but I'm trying to figure out what your threat model is.

[–] [email protected] 24 points 2 months ago* (last edited 2 months ago) (2 children)

I feel weird about having those apps on the internet and basically being blind to threats. I mean yeah, I'm not a target on anyone's list and most IPs visiting the site are bots but I would still like to know what's going on.

I don't work in tech for a living, this is just a hobby for me so I have limited time to work on this stuff and do research. It's very possible I fucked something up and don't know it. I figured if I at least got an alert that said "hey, your immich server db was dumped and sent to ", I could at least turn it off

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 5 points 2 months ago (1 children)

I've half ass thought about this but never have tried to actually self host. If you have access to all devices, why not just use your own self signed certificates to encrypt everything and require the certificate for all connections? Then there is never a way to log in or connect right? The only reason for any authentication is to make it possible to use any connection to dial into your server. So is that a bug or a feature. Maybe I'm missing something fundamental in this abstract concept that someone will tell me?

[–] [email protected] 6 points 2 months ago (2 children)

If you have access to all devices, why not just use your own self signed certificates to encrypt everything and require the certificate for all connections?

Sounds like you are describing a VPN. I was using that setup before but small stuff like immich album sharing via a link won't work properly. Also, having to ensure a vpn is on and connected is a little to much to ask of my partner; they would turn it off and forget about it and then ask why their app wasn't working :/

[–] [email protected] 1 points 2 months ago (1 children)

Beside the fact that you would like to understand if you've done everything properly (that's good, but I can't help you here), a VPN on a smartphone can be always active. Mine is always on and I've never noticed any battery problem. If you prefer something simpler there's Tailscale.

[–] [email protected] 5 points 2 months ago* (last edited 2 months ago) (1 children)

If it were only me using the apps, I'd be using a VPN. Over the years, I've used OpenVPN, Wireguard, and now Tailscale. In my experience, they work like 99% of the time. That last 1% though is weird connection issues; usually when switching between WiFi and cellular (or vice versa) but sometimes it's my server or ISP and I have to turn the VPN off and back on to troubleshoot. During those rare times, my partner will either turn off the VPN and forget to turn it back on or they will forget about the VPN completely and not be able to use their phone. Ideally, I'd like to set something up that doesn't require any potential troubleshooting on their part so I can avoid hearing "why can't we just use Google photos?" or "what's wrong with Google home?" 😓

load more comments (1 replies)
[–] [email protected] 2 points 2 months ago (2 children)

I mean more like a self signed TLS certificate with your own host manually set in the browser. Then only make the TLS port available, or something like that. If you have access to both(all) devices, you should be able to fully encrypt by bruit force and without registering the certificate with anyone. That is what I do with AI at home.

[–] [email protected] 4 points 2 months ago (5 children)

I don't know much about certificates, but doesn't that just alert the browser that the certificate is not trusted and you can decide if keep going or not?

load more comments (5 replies)
[–] [email protected] 2 points 2 months ago (1 children)

oh, my mistake. tbh, I don't know enough about it but I'm interested. Why set up a TLS cert for AI at home? How is that benefiting you and your setup?

I've seen some people set up SSL certs for self hosted services and not make them publicly available but I didn't get around to seeing why they were doing it

load more comments (1 replies)
[–] [email protected] 1 points 2 months ago (2 children)

Why? Not every service is meant to be exposed to the open internet. Immich is the only one of what you listed that makes sense to have out in the open.

[–] [email protected] 3 points 2 months ago (1 children)

I've been playing around with the voice assistant stuff in homeassistant and it seemingly needs a public url to get all the features. I could be wrong about that though?

I put authentik in front of immich to handle authentication so that I would need need a 2FA code

[–] [email protected] 3 points 2 months ago (1 children)

Most definitely does not need a public URL for Assist in HA. Not sure where you read that.

It sounds like you need a VPN to your internal services if you're concerned about security.

[–] [email protected] 2 points 2 months ago (1 children)

Most definitely does not need a public URL for Assist in HA. Not sure where you read that.

You're probably right. At one point, I had a subscription to homeassistant cloud a few years back to use a google nest speaker at the time. I was just going off that I guess. I'll do some testing and will probably put it back behind tailscale. thanks for the heads up

It sounds like you need a VPN to your internal services if you’re concerned about security.

I'm more so concerned that I set something up incorrectly and would like to be made aware of it in the event someone else noticed

[–] [email protected] 1 points 2 months ago

That's very specific to individual services

[–] [email protected] 4 points 2 months ago (2 children)

What about home assistant? Me and the Family quite often use the HA app on the go, sometimes even from other computers like at my parents or in a hotel to check on the house and the cat. I also gave my dad access to it so he can see if we're at home and things like that.

Same with my dads HA.

[–] [email protected] 6 points 2 months ago (1 children)

Set up a VPN to get back inside your network if you're outside it. Then you don't need HA (or anything else for that matter) to be public.

[–] [email protected] 0 points 2 months ago

☝️

load more comments (1 replies)
load more comments
view more: ‹ prev next ›