this post was submitted on 04 Nov 2024
117 points (98.3% liked)

Selfhosted

40173 readers
594 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has "--net host", although the containers can access host services because they have the option "--map-guest-addr" set, so I don't know if this is any safer then "--net host".

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don't think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don't really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 1 week ago

Unless you are a diehard FOSS person or whatever I'd recommend only using reverse tunneling and leveraging cloudflares infrastructure for access and also authentication.

It's crazy the amount of stuff they give away for free

[–] [email protected] 1 points 1 week ago

They aren't going to go after your data. They will take over your machine and use it for there own purposes. This happens in a automated way and they can build botnets made of 1000's of devices.

I would strongly suggest not opening any ports. Instead use a mesh VPN like Tailscale or Netbird. You could even access it over the dark web via i2p or Tor.

[–] [email protected] 8 points 1 week ago (1 children)

Is keeping everything inside of a local “walled garden”, then exposing the minimum amount of services needed to a WireGuard VPN not sufficient?

There would be be no attack surface from WAN other than the port opened to WireGuard

[–] [email protected] 1 points 1 week ago

Minimum open services is indeed best practice but be careful about making statements that the attack surface is relegated to open inbound ports.

Even Enterprise gear gets hit every now and then with a vulnerability that's able to bypass closed port blocking from the outside. Cisco had some nasty ones where you could DDOS a firewall to the point the rules engine would let things through. It's rare but things like that do happen.

You can also have vulnerabilities with clients/services inside your network. Somebody gets someone in your family to click on something or someone slips a mickey inside one of your container updates, all of a sudden you have a rat on the inside. Hell even baby monitors are a liability these days.

I wish all the home hardware was better at zero trust. Keeping crap in isolation networks and setting up firewalls between your garden and your clients can either be prudent or overkill depending on your situation. Personally I think it's best for stuff that touches the web to only be allowed a minimum amount of network access to internal devices. Keep that Plex server isolated from your document store if you can.

[–] [email protected] 24 points 1 week ago (1 children)

Start with the basics:

  • Harden SSH by only allowing public key authentication and use strong keys to authenticate instead of passwords.
  • Setup fail2ban (lots of online resources, check Linode guides) to block malicious IPs temporarily.
  • If the data you store is something only you should see, then it should not ever be connected to the internet, airgap wherever possible.
  • And finally, keep your shit updated.
[–] [email protected] 10 points 1 week ago

To be even more explicit on the last point, that means regularly updating OpenWRT and all your containers, not just the server's base OS

[–] [email protected] 5 points 1 week ago

It's great that you self host but security especially of service directly exposed to internet is very difficult. Use somekind of Direct VPN or services like tailscale etc

[–] [email protected] 5 points 1 week ago

Why don't you use something like Tailscale? Other than that using non standard ports greatly reduces the risks of you getting compromised. The majority of attacks come from port scanners scanning for default ports and trying to use known vulnerabilities.

[–] [email protected] 6 points 1 week ago (3 children)

does anyone have an actual horror story about anything happening via an exposed web service? let's set aside SSH

[–] [email protected] 5 points 1 week ago (2 children)

Yeah, a company got toasted because one of their admins was running Plex and had tautulli installed and opened to the outside figuring it was read-only and safe.

Zero day bug in tat exposed his Plex token. They then used another vulnerability in Plex to remote code execute. He was self-hosting a GitHub copy of all the company's code.

[–] [email protected] 2 points 1 week ago

This guy was running a three year old version of Plex with a known (and later fixed RCE), and was working for LastPass.

[–] [email protected] 1 points 1 week ago

Last time they’ll ever do that! Pass the buck of hosting web-facing Plex servers onto somebody else.

[–] [email protected] 11 points 1 week ago* (last edited 1 week ago)

Counter question

How would you know something went wrong? Do you monitor all the logs? Do you have alerting?

What happens if one service has a serious vulnerability and is compromised? Would an adversary be able to do lateral movement? For that matter are you scanning/checking for vulnerabilities? Do you monitor security tracker?

All of these are things to consider

[–] [email protected] 3 points 1 week ago (1 children)

Id like to know as well. I definetely dont want to be the first person of that story tough

Ive heard of someone who exposed the docker management port on the internet and woke up to malware running on their server. But thats of course not the same as web services.

[–] [email protected] 3 points 1 week ago

Once a server is compromised there are lots of uses. Everything from DDOS attacks to obscuring attacks against other targets. An attacker doesn't want to be discovered so they likely will hide as much as they can.

[–] [email protected] 8 points 1 week ago (3 children)

Something you might want to look into is using mTLS, or client certificate authentication, on any external facing services that aren't intended for anybody but yourself or close friends/family. Basically, it means nobody can even connect to your server without having a certificate that was pre-generated by you. On the server end, you just create the certificate, and on the client end, you install it to the device and select it when asked.

The viability of this depends on what applications you use, as support for it must be implemented by its developers. For anything only accessed via web browser, it's perfect. All web browsers (except Firefox on mobile...) can handle mTLS certs. Lots of Android apps also support it. I use it for Nextcloud on Android (so Files, Tasks, Notes, Photos, RSS, and DAVx5 apps all work) and support works across the board there. It also works for Home Assistant and Gotify apps. It looks like Immich does indeed support it too. In my configuration, I only require it on external connections by having 443 on the router be forwarded to 444 on the server, so I can apply different settings easily without having to do any filtering.

As far as security and privacy goes, mTLS is virtually impenetrable so long as you protect the certificate and configure the proxy correctly, and similar in concept to using Wireguard. Nearly everything I publicly expose is protected via mTLS, with very rare exceptions like Navidrome due to lack of support in subsonic clients, and a couple other things that I actually want to be universally reachable.

[–] [email protected] 4 points 1 week ago

mTLS is great and it's a shame Firefox mobile still doesn't support it.

[–] [email protected] 1 points 1 week ago

Sounds like the clearnet equivalent to i2p encrypted lease sets

[–] [email protected] 2 points 1 week ago

Wow, thats very, very nice. I didnt know this even existed.

But I suppose if it had widespread support it would be the perfect solution.

Firefox mobile not supporting it might be a dealbreaker though, since it is the browser I use and the one I persuaded all my friends and family to switch to...

But this is an incredibly interesting technology and I will surely look into implementing at least partially if that works.

Thanks a lot for sharing!

[–] [email protected] 15 points 1 week ago (3 children)

Admittedly I'm paranoid, but I'd be looking to:

  1. Isolate your personal data from any web facing servers as much as possible. I break my own rule here with Immich, but I also...
  2. Use a Cloudflare tunnel instead of opening ports on your router directly. This gets your IP address out of public record.
  3. Use Cloudflare's WAF features to limit ingress to trusted countries at a minimum.
  4. If you can get your head around it, lock things down more with features like Cloudflare device authentication.
  5. Especially if you don't do step 4: Integrate Crowdsec into your Nginx setup to block probes, known bot IPs, and common attack vectors.

All of the above is free, but past step 2 can be difficult to setup. The peace of mind once it is, however, is worth it to me.

[–] [email protected] 0 points 1 week ago (1 children)
  1. Guess what, all IP addresses are known. There is no secret behind them. And you can scan all IPv4 addreses for ports in a few seconds at most.
  2. So some countries are more dangerous than others? Secure your network and service and keep them up to date, then you do not have to rely on nonsense geoblocking.
  3. Known bots are also no issue most of the time. They are just bots. They usually target a decade old Vulnerabilities and try out default passwords. If you follow my advice on 3. this is a non issue
[–] [email protected] 0 points 1 week ago (1 children)
  1. Sure but there's no reason to openly advertise that yours has open services behind it.
  2. Absolutely. There are countries that I'm never going to travel there so why would I need to allow access to my stuff from there? If you think it's nonsense then don't use it, but you do you and I'll do me.
  3. See point 3.

We all need to decide for ourselves what we're comfortable with and what we're not and then implement appropriate measures to suit. I'm not sure why you're arguing with me over how I setup my own services for my own use.

[–] [email protected] 2 points 1 week ago

Yes i do i and you do you. But advertising those things as security measures while not adding any real security is just snake oil and can result in neglecting real security measures.

As i said, the whole internet can be port scanned within seconds, so your services will be discovered, what is the risk you assume to have when your IP address is known and the fact that you host a service with it? The service has the same vulnerabilities if it is hosted via cloudflare tunnels or directly via port forwarding on the router. So you assume that your router is not secure? Then unplug it, cause it is already connected to the router.

Geoblocking is useless for any threat actor. You can get access to VPN services or a VPS for very very very little money.

[–] [email protected] 1 points 1 week ago

Sounds exactly like my setup for the last 5 years, minus NGINX (don't need it with Cloidflared since each service is it's own Proxmos Container and use their own exclusive tunnels).

[–] [email protected] 4 points 1 week ago (1 children)

Thanks for your reply!

Suggestion 1 definetely does make a lot of sense and I will be doing exactly that asap. Its something I didnt think through before but that would make me much more in peace.

Suggestions 2-4 sound very reasonable, I have indeed searched for a way to self host a waf but didnt find much info. My only only concern with your points is... Cloudflare. From my understanding that would indeed add a lot of security to the whole setup but they would then be able to see everything going through my network, is that right?

[–] [email protected] 2 points 1 week ago (1 children)

Yes and no? It's not quite as black and white as that though. Yes, they can technically decrypt anything that's been encrypted with a cert that they've issued. But they can't see through any additional encryption layers applied to that traffic (eg. encrypted password vault blobs) or see any traffic on your LAN that's not specifically passing through the tunnel to or from the outside.

Cloudflare is a massive CDN provider, trusted to do exactly this sort of thing with the private data of equally massive companies, and they're compliant with GDPR and other such regulations. Ultimately, the likelihood that they give the slightest jot about what passes through your tunnel as an individual user is minute, but whether you're comfortable with them handling your data is something only you can decide.

There's a decent question and answer about the same thing here: https://community.cloudflare.com/t/what-data-does-cloudflare-actually-see/28660

[–] [email protected] 2 points 1 week ago

Yes absolutely. For work most of my clients use cloudflare's different services so I understand they have credibility.

For me though, part of the reason I self host is to get away from some big tech companies' grasp. But I understand I am a bit extreme at times.

So thanks for opening my mind and pointing me to that very interesting discussion, as well as for sharing your setup, it sure seems to be very sound security wise.

[–] [email protected] 6 points 1 week ago (2 children)

Just do what I do and consistently forget to set up DDNS and also be bad at noticing when your ISP juggles your IP address.

[–] [email protected] 2 points 1 week ago

Get a VPS and route traffic into a isolated network

[–] [email protected] 6 points 1 week ago (2 children)

Been there, done that lol, my ISP doesnt change my IP half as much as I should like, and I renew my certs half as often as they deserve.

Seriously though, I had certs expire twice until I finally decided to get this setup properly.

[–] [email protected] 1 points 1 week ago

Why would you like your IP to change? My ISP never changed mine and I thank them for that

[–] [email protected] 2 points 1 week ago

It makes sense that Bilbo would run a homeserver.

load more comments
view more: next ›