Hey guys,

after reading up on selfhosting for weeks now I finally decided to take the plunge today and tried setting up my own nextcloud & jellyfin instances. For this purpose I am using a mini PC. (similiar to an Intel NUC)

Now I would like to make both services available to the internet so I could show images to friends while I’m at their place / watch movies with them.

The problem is I am currently not very educated on which security measures I would have to take to ensure that my server / mini PC doesn’t immediately become an easy target for a hacker, especially considering that I would host private photos on the nextcloud.

After googling around I feel like I find a lot of conflicting information as well as write-ups that I don’t fully grasp with my limited knowledge so if you guys have any general advice or even places to learn about all these concepts I would be absolutely delighted!

Thank you guys sooo much in advance for any and all help, the c/selfhosted community has been nothing but a great resource for me so far!!!

@nbailey@lemmy.ca
link
fedilink
English
51Y

Best advice I can give is to make sure the default virtualhost on nginx/apache just sends a 404 to all requests to your IP, and only serve the apps you want when they’re accessed by the correct hostname. The vast majority of spammy scanners are just hitting all public IPs, so as long as you don’t tell them what you’re hosting you’ll be alright.

Then, I’d advise having some sort of basic web application firewall (WAF). Modsecurity is a common one, NAXSI is another. These take some time to set up, but are quite good at absorbing attempted attacks.

I serve HTTP 403 for all requests to the default vhost and log them, harvest IPs through a log aggregator (or just fail2ban) and tag them as bad bots/scanners, and eternal-ban them on all my hosts. Currently have 98451 addresses or networks in my ipset for these.

For requests to actual domains, I ban after a few unsuccessful authentication attempts. A WAF is nice to have (tedious but fun to set up) - currently working on improving my Modsecurity setup.

Other than that there is already good advice here:

  • keep OS/packages/installed services up-to-date
  • only run software from trusted (ideally signed) sources
  • use host and network-based firewalls
  • use strong encryption and authentication everywhere
  • only expose what is absolutely required
  • implement good privilege separation (even dedicated users for each app/service, proper file ownership/permissions goes a long way)
  • run scanners to detect possible misconfigurations/hardening measures (systemd-analyze security was mentioned, I also like lynis and debsecan)
  • set up proper logging/monitoring alerting
@nbailey@lemmy.ca
link
fedilink
English
21Y

Yep, banning scanners with ipset lists is a great solution. I use a slightly convoluted method to perma-ban abusers, but fail2ban also works great.

https://nbailey.ca/post/block-scanners/

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 157 users / day
  • 456 users / week
  • 1.32K users / month
  • 3.92K users / 6 months
  • 1 subscriber
  • 3.8K Posts
  • 76.9K Comments
  • Modlog