Selfhosted

You can simply set up a VPN for your home network (e.g. Tailscale, Netbird, Headscale, etc.) and you won't have to worry about attacks. Public services require a little more work, you will need to rely on a service from a company, either a tunnel (e.g. Tailscale funnel) or a VPS.

If your SSH is using key authentication and you don't have anything silly as an attack vector, you should be grand.

If you are behind CGNAT and use some tunnel (Wireguard, Tailscale, etc.) to access your services which are running on Docker containers, the attack vector is almost not existing.

I've been self hosting for 2 or 3 years and haven't been hacked, though I fully expect it to happen eventually(especially if I start posting my blog in places). I'd suggest self hosting a VPN to get into your home network and not making your apps accessible via the internet unless 100% necessary. I also use docker containers to minimize the apps access to my full system. Best of luck!

A VPS with fail2ban is all you need really. Oh and don't make ssh accounts where the username is the password. That's what I did once, but the hackers were nice, they closed the hole and then just used it to run a irc client because the network and host was so stable.

Found out by accident, too bad they left their irc username and pw in cleartext. Was a fun week or so messing around with their channels

If your needs are fairly low on the processing side, you can snag a cloud VPS on LowEndBox for five or six dollars a month. Quality is highly variable ofc, but I’m reasonably my happy with mine.

No AWS, etc (though I don’t know offhand where the actual box lives), SSH access defaults to a key, and the rest (firewall, reverse proxy if you like, and all the other best practices) are but an apt-get away and a quick searxng to find and dissect working configs.

Incidentally, searxng is a good place to start- dead easy to get rolling,and a big step towards degoogling your life. Stand it up, throw a pretty standard config at nginx, and do a certbot —nginx -d search.mydomain.com - that all there is to it.

YMMV with more complex apps,but there is plenty of help to be had.

Oh…. Decide early on if anonymity is a goal,or you’re ok tying real life identity to your server if someone cares to look. Register domains and make public facing choices accordingly.

Either choice is acceptable if it’s the right one for you, but it’s hard to change once you pick a path.

I’m a big fan of not hosting on prem simply because it’s one more set of cables to trip over, etc. But for a latte a month in hosting costs, it’s worth it to me.

You can. I am lucky enough to not have been hacked after about a year of this, and I use a server in the living room. There are plenty of guides online for securing a server. Use common sense, and also look up threat modeling. You can also start hosting things locally and only host to the interwebs once you learn a little more. Basically, the idea that you need cloudflare and aws to not get hacked is because of misleading marketing.

Firewall, Auth on all services, diligent monitoring, network segmentation (vlans are fine), and don't leave any open communications ports, and you'll be fine.

Further steps would be intrusion detecting/banning like crowdsec for whatever apps leave world accessible. Maybe think about running a BSD host and using jails.

Use a firewall like OPNsense and you'll be fine. There's a Crowdsec plugin to help against malicious actors, and for the most part, nothing you're doing is worth the trouble to them.

I host a handful of Internet facing sites/applications from my NAS and have had no issues. Just make sure you know how to configure your firewall correctly and you’ll be fine.

It depends on what your level of confidence and paranoia is. Things on the Internet get scanned constantly, I actually get routine reports from one of them that I noticed in the logs and hit them up via an associated website. Just take it as an expected that someone out there is going to try and see if admin/password gets into some login screen if it's facing the web.

For the most part, so long as you keep things updated and use reputable and maintained software for your system the larger risk is going to come from someone clicking a link in the wrong email than from someone haxxoring in from the public internet.

Other than the low chance of you being targeted I would say only expose your services through something like Wireguard. Other than the port being open attackers won't know what it's for. Wireguard doesn't respond if you don't immediately authenticate.

Yeah na, put your home services in Tailscale, and for your VPS services set up the firewall for HTTP, HTTPS and SSH only, no root login, use keys, and run fail2ban to make hacking your SSH expensive. You're a much smaller target than you think - really it's just bots knocking on your door and they don't have a profit motive for a DDOS.

From your description, I'd have the website on a VPS, and Immich at home behind TailScale. Job's a goodun.

Not my experience so far with my single service I've been running for a year. It's making me even think of opening up even more stuff.

Hey no to be harsh or anything but did you actually made your research? Plenty of people self host websites on their house without AWS , Google or Cloudfare and it works fine.

One aspect is how interesting you are as a target. What would a possible attacker gain by getting access to your services or hosts?

The danger to get hacked is there but you are not Microsoft, amazon or PayPal. Expect login attempts and port scans from actors who map out the internets. But I doubt someone would spend much effort to break into your hosts if you do not make it easy (like scripted automatic exploits and known passwords login attempts easy) .

DDOS protection isn't something a tiny self hosted instance would need (at least in my experience).

Firewall your hosts, maybe use a reverse proxy and only expose the necessary services. Use secure passwords (different for each service), add fail2ban or the like if you're paranoid. Maybe look into MFA. Use a DMZ (yes, VLANs could be involved here). Keep your software updated so that exploits don't work. Have backups if something breaks or gets broken.

In my experience the biggest danger to my services is my laziness. It takes steady low level effort to keep the instances updated and running. (Yes there are automated update mechanisms - unattended upgrades i.e. -, but also downwards compatibility breaking changes in the software which will require manual interactions by me.)

I feel like you have the wrong idea of what hacking acting a actually is... But yes, as long as you don't do anything too stupid line forwarding all of your ports or going without any sort of firewall, the chances of you getting hacked are very low...

As for DDOSing, you can get DDOSed with or without self hosting all the same, but I wouldn't worry about it.

DDoS and hacking are like taxes: you should be so lucky as to have to worry about them, because that means you're wildly successful. Worry about getting there first because that's the hard part.

It’s very possible. If you carefully manage your attack surface and update your software regularly, you can mitigate your security risks quite a bit.

The main problem is going to be email. I have found no reliable way to send email that does not start with “have someone else do it for you” or “obtain an IP block delegation”.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

13 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #832 for this sub, first seen 26th Jun 2024, 10:25] [FAQ] [Full list] [Contact] [Source code]

Why would anyone ddos you? Ddos costs money andor effort. Noone is going to waste that on you. Maybe dos but not ddos. And the troll will go away after some time as well. There's no gain in dosing you. Why would anyone hack your static website? For the lulz? If everything is https encrypted on your local net how does a hacker infest everything on your network?

If you are afraid of being ddosed which is very unlikely. Cloudflare has free ddos protection. You can put some but not all things behind their proxy.

Also instead of making things publicly available look in to using a VPN. Wireguard with "wireguard easy" makes this very simple.

VLANs do not make you network magically more secure. But when setup correctly can increase security a load if something has already penetrated the network. But also just to streamline a network and allow or deny some parts of the network.