I find the idea of self-hosting to be really appealing, but at the same time I find it to be incredibly scary. This is not because I lack the technical expertise, but because I have gotten the impression that everyone on the Internet would immediately try to hack into it to make it join their bot net. As a result, I would have to be constantly vigilant against this, yet one of the numerous assailants would only have to succeed once. Dealing with this constant threat seems like it would be frightening enough as a full-time job, but this would only be a hobby project for me.
How do the self-hosters on Lemmy avoid becoming one with the botnet?
Outbound firewall and SMAC protections.
If you compromise my server you’ll struggle to phone home without manual intervention, which is good enough to stop botnets.
pFsense + IDS/IPS segmenting network and a robust set of rules would pretty much get you there.
Damn dawg, reading this made me not wanna self host my own instance. I was considering it.
Hey, now, just because I am an overly paranoid person does not mean that you have to be as well!
Well for one its not as automatic as it sounds. Basic protections will get you far. I have a minecraft server exposed but it only accepts connections from 3 specific places. Remember its the same as ever other real life deterrant, make yourself less of a target than the next guy. It also really helps not having juicy company data on your network. Home networks are way less of a target because you dont have any fine booty to loot.
- routine patching
- siem log aggregation
- proper alerting metrics and notifications
- routine virus scanning
- proper network segregation between your NATd network and your personal network
- firewall firewall firewall
- expose your applications to the internet through a WAF, never directly
if you can do all these things properly, then there shouldn’t be too much danger in selfhosting your apps publicly.
Would something like Anubis or Iocaine prevent what you’re worried about?
I haven’t used either, but from what I understand they’re both lightweight programs to prevent bot scraping. I think Anubis analyzes web traffic and blocks bots when detected, and Iocaine does something similar but also creates a maze of garbage data to redirect those bots into, in order to poison the AI itself and consume excessive resources on the end of the companies attempting to scrape the data.
Obviously what others have said about firewalls, VPNs, and antivirus still applies; maybe also a rootkit hunter and Linux Malware Detect? I’m still new to this though, so you probably know more about all that than I do. Sorry if I’m stating the obvious.
Not sure if this is overkill but maybe Network Security Toolkit might have some helpful tools as well?
Just use tailscale and don’t forward any ports and you’ll be fine
There’s a lot of technical answers here, but Tailscale is what you want OP. Self-hosting is only a risk if you open ports. Tailscale doesn’t require opening any ports.
Alternatively, you could set up your own VPN and forward one port to the VPN. The risk of port forwarding to VPN such as Wireguard or OpenVPN is minimal.
The risk of being attacked applies to those that port forward web traffic so it can be accessed without a VPN by themselves or others. If you don’t do that, the risk is very low.
Is it bad to forward ports temporarily to game with friends? And deactivate after?
I dont have the energy to learn new fanglad networking since everything is so insecure now…im used to 2009 servers.
It’s not really complicated at all you just download the tailscale app make an account and then hit share to your friends. That’s how I run a Minecraft server for me and my friends because I was too lazy to figure out how to port forward. It was easier to just sudo apt install tailscale and essentially be done.
That sounds so easy my friends could do it! Ill need to read up
No?
I mean, how else are you meant to play the game actually?
I guess you could be like opening ports just to particular IPs. And you need a game that isn’t Swiss cheese that gets immediately hacked.
But like hackers don’t sort of seep in through port forwards; they need to physically identify and exploit a particular vulnerability.
Ah. Well mostly it’s for voxelibre or armegatron nowadays
They don’t have to succeed once.
Use antivirus and other endpoint security measures. Rotate your passwords and keys. Use Everything as Code, and for goodness sake make backups.
If you find yourself compromised, rotate and burn the keys, wipe and redeploy.
Everything that you mention is sensible, but it seems like it would take so much time not only to set up but to perform the ongoing maintenance you described that it just is not worth the trouble to self-host, which is a significant factor in why I have not taken a shot at it.
Honestly it’s not a ton of time. A few minutes to run patches every few weeks, and the initial investment to plan, install, and configure your services (but then that’s the fun part no?). Self hosting IMO isn’t a great way to save time and money, or even to get out of the pocket of big tech. If those are your goals you’re better off looking at hosted solutions that are Open, and likely paying for it since running IT stacks isn’t free. Self hosting is a hobby, something you do to learn and because you enjoy it. It is hard sometimes, takes time, and comes with risks, but so do most other hobbies.
That does not sound so bad; the parent comment made it sound a lot worse than that.
Eh, it can be a lot of work but doesn’t have to be. I’ve automated backups, and if you follow current best practice guidance from industry, you should use long pass phrases and not worry about regularly rotating them. For things like SSH keys, you can rotate them if you think you’ve had a breach but in normal usage there isn’t a huge benefit security-wise since they functionally can’t be guessed and would need to be stolen. If an adversary steals your SSH keys then you’re already pretty hosed as the next step is for them to establish another backdoor to access your server without needing your key.
I think most home lab/shelf hosters start off because they want to learn something. I think (generally, philosophically) many people never start something new even if it interests them because they are afraid. To this point, it sounds like you can either let the fear prevent you from doing what you want, or you can use the fear as a learning tool.
Start simple. Build something very easy and isolated, air gap it if you need to. Figure out how logs and monitoring work, maybe even try attacking it yourself, so you have confidence that even if it’s compromised you will see how and why. Then you can connect it to the internet, isolated from the rest of your network, and then you will learn how well- or un-founded those fears are. Learn even more about monitoring and defending, then start looking for a job as a cybersecurity professional because you are already well underway.
I mostly just like building and tinkering with things, and I really like the idea of setting up services that I control that host my own data that I can access from anywhere. I have no real interest in learning about more than the minimum amount needed to do that simply because that is not how I would like to spend my time.
(Lest you continue to have the wrong impression that I am afraid of learning new things: There was a period in my life where I was constantly learning new technologies, programming languages, etc. Eventually I realized that I had demonstrated that I was capable of learning anything that I wanted, and there were so many things out there to learn that I needed to start becoming more selective. At the moment my learning goals tend to be more math focused; currently I am trying to learn graduate-level category theory and measure theory.)
If I really need to master all of the steps that you’ve described before deploying my host on the Internet, then my conclusion is that it is more trouble than it is worth, because my concern is that if I screw up then I will make the Internet a worse place by contributing to botnets.
If I really need to master all of the steps that you’ve described before deploying my host on the Internet, then my conclusion is that it is more trouble than it is worth, because my concern is that if I screw up then I will make the Internet a worse place by contributing to botnets.
Nah dude. You’re not going to make the internet worse because a bot opened a door you thought was locked and let himself in. That’s rubbish. Do some reading, study up, deploy the server. Monitor before you start putting any PII on the server. Deploy a couple fun Docker containers. Monitor. Build your confidence.
Don’t let fear get the best of you. I have a load of fun with my set up as, like you, I love to tinker. Nothing I have done can’t be replicated through studying, asking questions, deploying in gradual steps. I have no certifications or any of that pro stuff some of these guys have. Just a regular schmoe. It really isn’t that much hassle once you get everything set up and you have confidence in your server’s defenses.
DO IT!!!
Self-hosting means taking on those maintenance responsibilities yourself. Same as doing your own plumbing or car maintenance. Either you spend the time and effort yourself, or you pay someone else to do it.
Right, but there is an entire spectrum of plumbing maintenance. I am perfectly capable of plunging toilets, but when a drain fails to work after several attack on my part then it is time to call in the plumber.
Yes…yet another comment. LOL Something you should do from the very start is take notes of everything you do on the server. I use Notepad++ for the rough draft while I’m setting something up. Copy/paste, write out commands, notations, what this or that does. Take prolific notes. I really can’t stress that enough. That way, if you need to back out of something, or if the wheels fall off, you can go right back to your notes. Don’t be lulled into the idea that you will be able to remember every last keystroke you’ve made. That rarely happens. Take notes.
When I have successfully deployed whatever I’m working on, then I go back, take my notes, clean them up, and place them in Obsidian and make backups of them.
Makin notes is good for sonething very simple. It’s better to automate deployment with salt, ansible or something similar. A bit more effort at first setup, much easier restoration. Self-documented.
In another life I worked as a Mech Eng for a Contractor firm. The rule was ‘If you didn’t write it down, it didn’t happen’. Over the years, that has bled into my personal life as well. I hear what you’re saying, and from what I’ve digested regarding Ansible, it is a quite powerful and capable package. However, let’s let OP stand up his first server. He’s already stressed about not being a botnet victim. So, perhaps some rudimentary steps are in order. Then you can blow his mind with Ansible. LOL
If you don’t need stuff publicly accessible, and just need it accessible to you, then set up a small computer on the network as an ssh Bastion host/jump server, put it on a VPN connection with a VPN provider that offers dyndns, forward the ssh port through the dyndns, and then off network, reverse proxy in with socks5 via key based ssh -D to gain access to all the services available inside the LAN.
Been doing this for a few years, works great and no one is getting in without my ssh key.
Or with a exploit/zero day.
Chance is close to zero but never absolute 0 ;)True enough.
It’s all about server hardening. See https://blog.melroy.org/2023/server-hardening/
Wow is that ever a load of snake oil.
I see this kind of guide as actively harmful because it creates a false sense of security.
Is there bad advise on there?
I skimmed it and there’s lots of good advice I think.
I’m no security expert and this is an honest question.
Step 1 is to do everything inside your network with data you don’t care about. Get comfortable starting services, visiting them locally, and playing around with them. See what you like and don’t like. Feel free to completely nuke everything and start from scratch a few times. (Containers like Docker make this super easy).
Step 2 is to start relying on it for things inside your network. Have a NAS, maybe home assistant, or some other services like Immich or Navidrome. Figure out how to give services access to your data without relying on them to not harm it (use read only mounts, permissions, snapshots, etc.)
Step 3 is to figure out how to make services more accessible away from home. Whether that is via a VPN, or something like tailscale, or just carefully opening specific ports to specific secure and up-to-date services. This is the part you’re feeling anxious about, and I think you’ll feel less anxious if you do steps 1 and 2 first and not even think about 3 yet. Consider it its own challenge, and just do one challenge at a time.
Have a limited attack surface will reduce exposure.
If, say, the only thing that you’re exposing is, oh, say, a Wireguard VPN, then unless there’s a misconfiguration or remotely-exploitable bug in Wireguard, then you’re fine regarding random people running exploit scanners.
I’m not too worried about stuff like (vanilla) Apache, OpenSSH, Wireguard, stuff like that, the “big” stuff that have a lot of eyes on them. I’d be a lot more dubious about niche stuff that some guy just threw together.
To put perspective on this, you gotta remember that most software that people run isn’t run in a sandbox. It can phone home. Games on Steam. If your Web browser has bugs, it’s got a lot of sites that might attack it. Plugins for that Web browser. Some guy’s open-source project. That’s a potential vector too. Sure, some random script kiddy running an exploit scanner is a potential risk, but my bet is that if you look at the actual number of compromises via that route, it’s probably rather lower than plain old malware.
It’s good to be aware of what you’re doing when you expose the Internet to something, but also to keep perspective. A lot of people out there run services exposed to the Internet every day; they need to do so to make things work.
That’s the point. It taught me things that I wouldn’t learn if it weren’t for that scared feeling. I agree that some sensitive things are better off my server.
You should start small and keep only things you want to be public, and services under basic logins. First logins, maybe admin admin but slowly you will get better and also place fail2ban and crowdsec. Once you have enough confidence and years of service on your belt. You can trust it with sensitive files under heavy guard.
Only expose services internally then use a secure VPN to access your services, this makes your network no more vulnerable in practice than not self hosting. If you need/want to expose something to the internet, make sure you setup your network right. Use a DMZ to separate that service and leverage something like CrowdSec along with good passwords, antivirus, and keep things patched.
Thanks for the CrowdSec tip, I’ve already got an nginx reverse proxy set up but wasn’t aware I could integrate this for extra protection.
How do I check this? I route everything on my internal network only. But how should I make sure its not accessible remotely? I cannot just have these on an air gapped network.
Throw your IP into Shodan.io and see what it comes back with.
You can run a port scan against your public IP from another network to see what is open. But if you haven’t specifically set something up for external access through port forwarding you are probably fine.
Should I do the same if I want to expose an OpenAI compatible API to access an LLM to chat remotely on local technical documents?
It doesn’t usually matter what the service is, the basic concepts are the same. If you want to access a service you host on your internal network from another external network you either need to use a VPN to securely connect into your network, or expose the service directly. If you are exposing it directly you should put it (or a proxy like NPM) in your DMZ. The specifics of how to do this though will vary from service to service and with your specific network config.
Tailscale on everything
