this post was submitted on 26 Jun 2024
95 points (88.0% liked)

Selfhosted

40183 readers
1046 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I understand that people enter the world of self hosting for various reasons. I am trying to dip my toes in this ocean to try and get away from privacy-offending centralised services such as Google, Cloudflare, AWS, etc.

As I spend more time here, I realise that it is practically impossible; especially for a newcomer, to setup any any usable self hosted web service without relying on these corporate behemoths.

I wanted to have my own little static website and alongside that run Immich, but I find that without Cloudflare, Google, and AWS, I run the risk of getting DDOSed or hacked. Also, since the physical server will be hosted at my home (to avoid AWS), there is a serious risk of infecting all devices at home as well (currently reading about VLANS to avoid this).

Am I correct in thinking that avoiding these corporations is impossible (and make peace with this situation), or are there ways to circumvent these giants and still have a good experience self hosting and using web services, even as a newcomer (all without draining my pockets too much)?

Edit: I was working on a lot of misconceptions and still have a lot of learn. Thank you all for your answers.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 4 months ago

DDOS against a little self hosted instance isn't really a concern I'd have. I'd be more concerned with the scraping of private information, ransomware, password compromises, things of that nature. If you keep your edge devices on the latest security patches and you are cognizant on what you are exposing and how, you'll be fine.

[–] [email protected] 3 points 4 months ago

Of course security comes with layers, and if you're not comfortable hosting services publically, use a VPN.

However, 3 simple rules go a long way:

  1. Treat any machine or service on a local network as if they were publically accesible. That will prevent you from accidentally leaving the auth off, or leaving the weak/default passwords in place.

  2. Install services in a way that they are easy to patch. For example, prefer phpmyadmin from debian repo instead of just copy pasting the latest official release in the www folder. If you absolutely need the latest release, try a container maintained by a reasonable adult. (No offense to the handful of kids I've known providing a solid code, knowledge and bugreports for the general public!)

  3. Use unattended-upgrades, or an alternative auto update mechanism on rhel based distros, if you don't want to become a fulltime sysadmin. The increased security is absolutely worth the very occasional breakage.

  4. You and your hardware are your worst enemies. There are tons of giudes on what a proper backup should look like, but don't let that discourage you. Some backup is always better than NO backup. Even if it's just a copy of critical files on an external usb drive. You can always go crazy later, and use snapshotting abilities of your filesystem (btrfs, zfs), build a separate backupserver, move it to a different physical location... sky really is the limit here.

[–] [email protected] 18 points 4 months ago (2 children)

The DDOSED hype on this site is so over played. Oh my god my little self hosted services are going to get attacked. Is it technically possible yes but it hasn’t been my experience.

[–] [email protected] 6 points 4 months ago

DDoSing cost the attacker some time and resources so there has to something in it for them.

Random servers on the internet are subject to lots of drive-by vuln scans and brute force login attempts, but not DDoS, which are most costly to execute.

[–] [email protected] 3 points 4 months ago (1 children)

99% of people think they are more important than they are.

If you THINK you might be the victim of an attack like this, you're not going to be a victim of an attack like this. If you KNOW you'll be the victim of an attack like this on the other hand...

[–] [email protected] 1 points 4 months ago

Many of us also lived through the era where any 13 year old could steal Mommy's credit card and rent a botnet for that ezpz

My MC server a decade ago was tiny and it still happened every few months when we banned some butthurt kid

[–] [email protected] 3 points 4 months ago

If you do it right you shouldn't get hacked. Even if you do you can keep good immutable backups so you can restore. Also make sure you monitor everything for bad behavior or red flags.

[–] [email protected] 27 points 4 months ago (1 children)

Use any old computer you have lying around as a server. Use Tailscale to connect to it, and don’t open any ports in your home firewall. Congrats, you’re self-hosting and your risk is minimal.

[–] [email protected] 2 points 4 months ago (1 children)

Exactly what I do and works like a dream. Had a VPS and nginx to proxy domain to it but got rid of it because I really had no use for it, the Tailscale method worked so well.

[–] [email protected] 1 points 4 months ago

I’ve been thinking of trying this (or using Caddy instead of nginx) so I could get Nextcloud running on an internal server but still have an external entry point (spousal approval) but after setting up the subdomain and then starting caddy and watching how many times that subdomain started to get scanned from various Ips all over the world, I figured eh that’s not a good plan. And I’m a nobody and don’t promote my domain anywhere.

[–] [email protected] 14 points 4 months ago* (last edited 4 months ago)

Getting DDOSed or hacked is very very rare for anyone self hosting. DDOS doesn't really happen to random people hosting a few small services, and hacking is also rare because it requires that you expose something with a significant enough vulnerability that someone has a way into the application and potentially the server behind it.

But it's good to take some basic steps like an isolated VLAN as you've mentioned already, but also don't expose services unless you need to. Immich for example if it's just you using it will work just fine without being exposed to the internet.

[–] [email protected] 4 points 4 months ago

I've self hosted home assistant for a few years, external access through Cloud flare now because it's been so stablez but previously used DuckDNS which was a bit shit if I'm honest.

I got into self hosting proper earlier this year, I wanted to make something that I could sail the 7 seas with.

I use Tailscale for everything.

The only open port on my router is for Plex because I'm a socialist and like to share my work with my friends.

Just keep it all local and use it at home. If you wanna take some of your media outside with you, download it onto your phone before you leave

[–] [email protected] 29 points 4 months ago

Drink less paranoia smoothie...

I've been self-hosting for almost a decade now; never bothered with any of the giants. Just a domain pointed at me, and an open port or two. Never had an issue.

Don't expose anything you don't share with others; monitor the things you do expose with tools like fail2ban. VPN into the LAN for access to everything else.

load more comments
view more: next ›