Hey guys,
after reading up on selfhosting for weeks now I finally decided to take the plunge today and tried setting up my own nextcloud & jellyfin instances. For this purpose I am using a mini PC. (similiar to an Intel NUC)
Now I would like to make both services available to the internet so I could show images to friends while I’m at their place / watch movies with them.
The problem is I am currently not very educated on which security measures I would have to take to ensure that my server / mini PC doesn’t immediately become an easy target for a hacker, especially considering that I would host private photos on the nextcloud.
After googling around I feel like I find a lot of conflicting information as well as write-ups that I don’t fully grasp with my limited knowledge so if you guys have any general advice or even places to learn about all these concepts I would be absolutely delighted!
Thank you guys sooo much in advance for any and all help, the c/selfhosted community has been nothing but a great resource for me so far!!!
General advice would be to look boring and hide your IP as much as you are able (get a domain). As long as you’re not looking juicy you won’t attract skilled attention. It’s like locking a bike, most bad actors will just pass by looking around for one without a lock or a real fancy one worth their resources.
You can utilize Cloudflare’s free offerings, starting with simple stuff. Their DNS Proxy is essentialy a single-click but will help substantially. You can build on top of that with simple WAF rules, such as droping connection attempts from IPs originating from countries notorious for “poking around”. You can also reverse that rule and whitlelist only your country.
Keep your firewall tight, don’t expose other ports, put your services behind a reverse proxy and redirect everything to HTTPS. Start simple, constantly improve, learn more advanced methods/concepts.
How is getting a domain protecting you IP? Wouldn’t your IP still be accessible even after you link it to a domain?
Yes, but by proxying your traffic via cloudflare your domain will point to their IP instead of yours directly.
So it makes you IP less discoverable. However, if someone finds your IP randomly (through brute force), would you still be vulnerable? Or is it possible to only port forward to a static CF address so only CF can connect to you outside of your home network?
If you are just exposing port 80 and 443 (standard web ports) cloudflare proxy is free and will work well to hide your IP.
Get yourself a domain name then use Cloudflare DNS to set an A record pointing to your home IP. If you have a dynamic IP (one that occasionally changes) you’ll want to read this: https://developers.cloudflare.com/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses/
As soon as you put something up online, you will de facto become a target with nowhere to hide except offline. Your IP will be known and constantly hammered by more or less serious threats.
If you don’t know the basics of Linux system administration and typical security measures, I would propose 2 approaches: you can go “the NAS way” and purchase something turnkey like a Synology (or anything on which you can easily spin up containers to host your services). You can expect a large part of the administration to be taken care of with sound default settings.
Another approach is to use a beginner friendly distro like https://yunohost.org/ , perhaps more involving, more risky, bit more rewarding.
Also, don’t put anything up there like personal or valuable information (except if encrypted with local-only keys), expect to be hacked, expect to be wiped, and think early on about (off-site) backups.
Yup, if you have SSH service open on port 22, you’re automatically spammed by bots trying to brute force their way onto the system.
I think you can go with Yunohost. It is easy to start selfhosting and exposing services to the web. I use it for more than a year, and it is super cool. Especially I love the fact, that it is easy for newcomers, but also it is opened for customisation for more pro users. Yunohost provides domain with ddns, Fail2Ban and tells which ports should be opened (80 and 443 is all you need, maybe another one for ssh). It also provides SSO for hiding services that do not use authentication.
The other day I learned about endlessh. I set that up, switched my actual sshd to listen on a different port, and the ssh login attempts from randoms essentially went down to 0. Pretty neat.
Nah, as long as you keep following recommended security practices it can be useful to get rid of unneeded load being put on your server by malicious bots.
I had a lot of problems with botnets hammering my SSH service on my private VPS. Moving it to a different port would only work for a few days before they’d be back at it again.
I wasn’t worried they’d get in. But logging in to my server would take ages because it was under so much load (VPS is pretty low-spec). Finally decided to shove my SSH service behind port knocking. Got rid of all the bots knocking at my door.
Obscurity has its uses, as long as you don’t consider it a replacement for security. It’s just an additional tool.
