I see a lot of people here uses some form of remote access tool (VPN/Tailscale) to access their home network when not at home. I can’t really do this because my phone (iOS) can only activate one VPN profile at a time, and I often need this for other stuff.

So I chose to expose most web based services on the public internet, behind Authelia. But I don’t know how safe this is.

What I’m really unsure are things like Vaultwarden: while the web interface is protected by Authelia (even use 2FA), its API address needs to be bypassed for direct access, otherwise the mobile APP won’t work. It feels like this is negative everything I’ve done so far.

@Richard@lemmy.world
link
fedilink
English
21Y

A number of people have touched on the perimeter security, but you can also look at your internal network too and whether you have the systems being exposed on vlans with firewalls preventing connectivity from those systems back to your other stuff that doesn’t need to be exposed. Could help cover you if a system is compromised due to bad config, zero day exploit, or whatever, by limiting the ability to then go sideways through your network to exploit other systems. Depending on what you are hosting there may be zero requirement for your externally facing server to need to talk to the majority of devices on your network, or the talk could be one way only (internal facing to external facing).

@nik282000@lemmy.ml
link
fedilink
English
61Y

If you use strong passwords and keep an eye on your logs you are no less safe than any other public facing entity. I’ve had a bunch of services exposed since 2020 so far no one has even bothered to brute the basic auth on Apache (though bot nets take a run at SSH a few times a year).

@Distributed@lemmy.ml
link
fedilink
English
21Y

I thought I was fine, until I installed IDS/IPS on my OPNSense box, and noticed one of my servers trying to contact a malicious IP. Took everything offline that day and keep publically facing services on other peoples networks :~)

I’m a network engineer and >15 years of experience in IT. It’s never “safe”. Not even in corporate IT. You’re a home user and it’s less likely you’ll be targeted but bad actors do comb the internet for known vulnerabilities. Patch your shit, limit exposure, enable MFA on everything. I don’t run it, but I feel slightly sketched out not behind something like a Palo Alto. But again I’m just a small potato in a big sea and I patch everything.

There will always be risk. Just do what feels right for you. Follow beat practices.

It’s only bad practice if you don’t keep up on vulnerabilities/patching, don’t have any type of monitoring or ability to detect a potential breach, etc.

The nice thing about tucking everything behind a VPN is you only have one attack surface to really worry about.

Here’s how I solved the problem: https://blog.lchapman.dev/self-hosting-foundations/

Not free, but pretty cheap. Been doing it for a year or so and I’m happy with the solution.

Not bad practice just not as secure.

You can’t beat the security of not exposing it but sometimes you need to so then you need to mitigate it with certs, reverse proxy or VPN.

It depends on what you need and what your thread model is.

@ilmagico@lemmy.world
link
fedilink
English
2
edit-2
1Y

I have my nextcloud server exposed, I keep it up to date, patched, etc. but I’d love to use the extra protection of a VPN. Just … I don’t think mobile apps work very well with that, unless I keep my phone constantly connected to the VPN, right? Or is there a smart way to do that?

Bdking158
link
fedilink
11Y

Not sure of your setup but I use OpenVPN on my Android and have set it to whitelist apps so only the apps that need to use the VPN do so. You can also go the opposite and blacklist so all apps except those you specify use the VPN.

Something Burger 🍔
link
fedilink
English
4
edit-2
1Y

I believe you can configure your phone to only route traffic to your server though the VPN.

@ilmagico@lemmy.world
link
fedilink
English
11Y

Nice! … how exactly, I wanna know :)

Bdking158
link
fedilink
31Y

I’m my case, I’m using the OpenVPN server on my router. When I set it up, there was an option for the client to only use the VPN for local traffic. That way it’s part of the config file on my phone. Works flawlessly

@twent4@lemmy.world
link
fedilink
English
41Y

this thread mentions an OVPN client that can do split tunneling so all you’d do is whitelist your server in the android phone and turn it on.

ProtonVPN has tunneling too, for instance, but no self hosting option.

@OmltCat@lemmy.world
creator
link
fedilink
English
11Y

Yea that’s basically the reason why I can’t use a VPN.

In fact there isn’t really a problem to leave your phone connected to the selfhosted VPN all the time. If split tunneling works properly, only traffic that access your home network would actually go through the VPN, all others will just get bypassed.

But in my case, I already need to be connected to another VPN most of my day, so can’t really go this route.

@constantokra@lemmy.one
link
fedilink
English
11Y

Is the existing one wireguard? Because on android you can use the same interface and add another peer. You’d also have to use the same ip range and key on your VPN.

I use a reverse proxy and client certificate authentication for anything I expose. That requires me to pre install the client certificate on all of my devices first, but afterwards they can connect freely via a web browser with no further prompting to authenticate. Anybody without the client certificate gets a 403 before they even get past the proxy.

There are limitations to this and overhead of managing a CA and the client certificates for your devices.

Time To Live
link
fedilink
English
5
edit-2
1Y

deleted by creator

@OmltCat@lemmy.world
creator
link
fedilink
English
51Y

Well I’m trying to discuss when unable to use a VPN so….

Does a vpn endpoint redirect a user to a reverse proxy or something? I’ve considered running an authenticated onion service to access some less resource intensive services (gitea, etc)

If you don’t need to, then DON’T. I only expose my personal website, my CardDAV server, my Gitea instance and my SSH server. Update them regularly

If your application is insecure/old, use it behind a VPN

@ollie@lemmy.world
link
fedilink
English
41Y

It all just depends on how much you trust the app, and how you’ve set up things when it does go wrong. Not every container needs to be able to access other containers on the system, lan, have access to whatever folder, read/write permissions, etc

A good practice for things like vaultwarden would be to only whitelist the country/state you’re in to minimize your attack profile

fail2ban or crowdsec can also help with all the rats sniffing around

My understanding is that it’s just not as secure. Any open port can be considered a potential way for a hacker to get in. Of course, that doesn’t mean it will 100% happen and you will get hacked, but at least in the case of Tailscale, it does it in a secure way that makes it so you don’t have those open ports. Basically, it’s not bad to just expose them to the internet, it’s just not as secure as using tools like Tailscale.

It’s not bad per se, but you really just need to understand the risks involved and have an idea of how to secure your services properly. I personally won’t expose anything if it doesn’t have some sort of centralized auth solution (LDAP preferred) and 2FA to better secure accounts.

It’s also good practice to have some way of mitigating brute-force attacks with something like fail2ban, and a way to outright block known bad IP addresses.

I have many of my services open to the internet, but behind authelia w/2fa and a reverse proxy. I haven’t had a security issue yet, been running this way for a few years.

I think it’s pretty safe as long as you keep them up to date. I run backups weekly and do updates at least once a month.

Using geoip restrictions will also help a lot because you can block most of the scanner bots by denying connections from outside your geographic region. These bots detect what services are open to the internet and then add them to databases like shodan. If a security flaw is found in one of those services, hackers will search those databases for servers with those services running and try to exploit them. If you aren’t in those databases they can’t easily find you before you are able to patch.

@OmltCat@lemmy.world
creator
link
fedilink
English
11Y

Very good point regarding geoip, thanks!

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 191 users / day
  • 419 users / week
  • 1.14K users / month
  • 3.85K users / 6 months
  • 1 subscriber
  • 3.71K Posts
  • 74.6K Comments
  • Modlog