this post was submitted on 04 Nov 2024

117 points (98.3% liked)

Selfhosted

40173 readers

636 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

117

Help me harden my home server (lemmy.sdf.org)

submitted 1 week ago by [email protected] to c/[email protected]

59 comments fedilink hide all child comments

I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has "--net host", although the containers can access host services because they have the option "--map-guest-addr" set, so I don't know if this is any safer then "--net host".

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don't think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don't really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

(page 2) 9 comments

sorted by: hot top controversial new old

[–] [email protected] 0 points 1 week ago (9 children)

You might want to consider that backups only protect very old data from ransomware.

Ransomware works by getting on a machine and sitting for several months before activating. During that time, your data is encrypted but you don't know because when you open a file, your computer decrypts it and shows you what you expect to see. So your backups are working but are saving files that will be lost once the ransom ware activates.

The only solution is to frequently manually verify the backup from a known safe computer. Years ago I looked for something to automate this but didn't find it. (Something like a raspberry pi with no Internet that can only see the PC it's testing, compares a known file, then touches the file so it gets backed up again.)

load more comments (9 replies)

[–] [email protected] 2 points 1 week ago (4 children)

Just close 443 and use VPN with ACME DNS challenges for your certs. That'll help make it even more secure, nothing is full proof though and a VPN is a good first step

load more comments (4 replies)

[–] [email protected] 39 points 1 week ago (3 children)

The single best thing you can do security wise, is to NOT have any personal data on a web facing server.

Separate the data

Rereading it does look like you are doing the things right; so just audit what is on the public side. - your calendar and tasks- cool

Your photo and docs, do those need to be on there?

they are not accessible on the WAN

If they are on a server that is publicly accessible, please move them to a different location

Otherwise you sound like your doing well

[–] [email protected] 6 points 1 week ago (2 children)

That was a great answer, thank you so much!

Yes I didnt even notice the family photos and docs dont need to be on that same server. Initially I just put them there to act as a local file share. But you are absolutely right, moving them from the public server is the best thing I can do to protect them.

I will look into setting up a second server for the private stuff that is not publicluly accessible

[–] [email protected] 8 points 1 week ago (2 children)

If this server is publicly accessible and gets pwned, they can use it as a jump box for your internal devices.

load more comments (2 replies)

[–] [email protected] 1 points 1 week ago

Also, this answer.

load more comments (2 replies)

[–] [email protected] 11 points 1 week ago (1 children)

Wireguard is a VPN, so that's not going to help you much here unless you're forwarding all your traffic through a remote server, in which case anyone gets in there will still be able to get your local machines. It's another hop in the chain, but that's about it.

If you want to be more on guard about reacting to attacks, or just bad traffic, you probably want something like Crowdsec. You'll at least be able to detect and ban IPs probing your services. If that's too much work, leverage OoenWRT reporting and some scripting to ban bad actors that probe your firewall and open ports. That's a good first step.

If you're concerned about the containers, consider using something more secure than dockerd. Podman rootless with a dedicated service user is a good start. Then maybe look at something more complex: Kata, gvisor, lxc...etc. The goal being sandboxing the containers more to prevent jailbreaks.

[–] [email protected] 4 points 1 week ago (1 children)

Thanks for the amazing reply and specially for the explanation regarding wireguard.

I didnt know about crowsec and kata containers, both amazing projects, I will definetely look into it and try to set them up.

Just one quick follow up question, when you mention dedicanted service user, do you mean its best to have a sepate user for each service, such as one for nginx, one for adguardhome and so on? Currently all of them run under the same user and I didnt think about this possibility before.

[–] [email protected] 3 points 1 week ago (1 children)

Yeah, so if you're running rootless containers, they aren't run by root, and for added security, you don't want them run by your normal user because if they get broken, then they'd have access to what your user has access to. Just create another user that only runs containers, and doesn't have access to your things or root.

load more comments (1 replies)

load more comments