Each time I’ve read into self-hosting it often sounds like opening stuff up to the internet adds a bunch of complexity and potential headaches, but I’m not sure how much of it is practicality vs being excessively cautious.
Limiting the attack surface is a big part, geo restrictions, reputation lists, brute force mitigation, it all plays a role. Running a vulnerability scanner against your stuff is important to catch things before others do and regular patching is important too. It’s can be a rewarding challenge.
Can you recommend me a vulnerabunity scanner?
https://www.tenable.com/products/nessus/nessus-essentials
https://www.rapid7.com/blog/post/2012/09/19/using-nexpose-at-home-scanning-reports/
Both Nessus and Nexpose are typically enterprise class systems but they have community licensing available for home labs. Nessus can even be set up in a docker container. OpenVAS is more or less free but can be upgraded with pro-feeds, but last I tried it it was a bit more rough to use.
Do be aware though that throwing a full force scan will use a lot of CPU and can break things depending on the settings, so it’s good to practice their settings on some non-critical systems first to get a feel for them.
Thanks sounds like a fun weekend project. My 72 cores are bored most of the time anyways. 😃
It’s always a balance between security and convenience. You have to mitigate what risk you are willing to well…risk
The only externally accessible service is my wireguard vpn. For anything else, if you are not on my lan or VPN back into my lan, it’s not accessible.
This is the way.
Funnily enough it’s exactly the opposite way of where the corporate world is going, where the LAN is no longer seen as a fortress and most services are available publically but behind 2FA.
Corporate world, I still have to VPN in before much is accessible. Then there’s also 2FA.
Homelab, ehhh. Much smaller user base and within smackable reach.
Oh right. The last three business I’ve worked in have all been fully public services; assume the intruder is already in the LAN, so don’t treat it like a barrier.
Can I ask your setup? I’d like to get this for myself as well.
Try pivpn. It is meant to run on a raspberry pi, but it should work on most Ubuntu and Debian based distributions.
Not OP but… I have an old PC as a server, Wireguard in docker container, port-forward in the router and that’s it
Which image? I’ve seen a few wireguard options on docker hub
Linuxserver
Only my Stremio add-ons, such as Knightcrawler, Annatar and Stremio-Jackett.
There’s a wid range of opinions on this. Some people only access their services via tunnel, some people open most of their services up to the internet, as long as they’re authenticated. One useful option for https services is to put them behind a reverse proxy that require oauth authentication, which allows you to have services over the internet, without increasing your attack surface. But that breaks apps like Nextcloud and Lemmy, so it’s not a universal option.
I keep everything behind a VPN so I don’t have to worry much about opening things up to the Internet. It’s not necessary about the fact that you’re probably fine but more so what the risk to you is if that device is compromised, ex: a NAS with important documents, or the idea that if that device is infected, what can that device access.
You could expose your media server and not worry too much about that device but having it in a “demilitarized zone”, ensuring all your firewall rules are correct and that that service is always updated is more difficult than just one VPN that is designed to be secure from the ground up.
Only my emby and ombi containers has an open path in/out, everything else is local or VPN only
All of it is LAN only except Wireguard and some game servers.
I see what the internet does to my work stuff, my home is sandboxed.
100% is lan only cause my isp is a cunt
Tailscale with the Funnel feature enabled should work for most ISPs, since it’s setup via an outbound connection. Though maybe they’re Super Cunts and block that too.
Prompt: Super Cunt, photorealistic, in the style of Jill Greenberg.
Ah, CG-NAT, is it? There are workarounds
PII or anything that would demonstrate clear attribution is LAN, the rest of the “fun” stuff lives on a VPS. Wireguard between them.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters NAS Network-Attached Storage VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #549 for this sub, first seen 26th Feb 2024, 21:45] [FAQ] [Full list] [Contact] [Source code]
Unlike most here, I’m not as concerned with opening things up. The two general guidelines I use are 1. Is it built by a big organization with intent to be exposed, and 2. What’s the risk if someone gets in.
All my stuff is in docker, so compartmentalized with little risk of breaking out of the container. Each is on it’s own docker network to the reverse proxy, so no cross-container communication unless part of the same stack.
So following my rules, I expose things like Nextcloud and Mediawiki, and I would never expose Paperless which has identity documents (access remotely via Tailscale). I have many low-risk services I expose on demand. E.g. when going away for a weekend, I might expose FreshRSS so I can access the feed, but I’d remove it once I got home.
Doesn’t Nextcloud running in Docker want the socket exposed?
I googled around for an example https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation.
Ignore me if you’ve already hardened the containers.
I’ve never known a reason to expose the docker socket to Nextcloud. It’s certainly not required, I’ve run Nextcloud for years without ever granting it socket access.
Most of the things on that linked page seem to be for Docker rather than Nextcloud, and relate to non-standard configuration. As someone who is not a political target, I’d be pretty happy that following Nextcloud’s setup guide and hardening guide is enough.
I also didn’t mention it, but I geoblock access from outside my country as a general rule.
I was looking into setting up Nextcloud recently and the default directions suggest exposing the socket. That’s crazy. I checked again just now. I see it is still possible to set it up without socket access, but that set of instructions isn’t as prominent.
I linked to Docker in specific because if Nextcloud has access to the socket, and hackers find some automated exploit, they could easily escalate out of the Docker container. It sounds like you have it more correctly isolated.
Was it Nextcloud or Nextcloud All in One? I’ve just realised that the Nextcloud docker image I use is maintained by Docker, not Nextcloud. It’s this one: https://hub.docker.com/_/nextcloud/
I use Docker-compose and even the examples there don’t have any socket access.
The all in one image apparently uses Traefik, which seems weird to use an auto configuring reverse proxy for an all in one image where you know the lay of the land. Traefik requires access to the docker socket for auto configuration. But you can proxy the requests to limit access to only what it needs if you really want to use it.
What I was looking at was the All in One, yes. I didn’t realize there was a separate maintained image, thank you! I’d much rather have a single image without access to the socket at all, I’ll give that a shot sometime.
One warning: in my experience, you can not jump two major versions. Not just it won’t work, but that if you try it everything will break beyond repair and you’ll be restoring from a backup.
Two major versions can sometimes be a matter of a few months apart, so make sure you have a regular update schedule!
(Also, people say never update to a X.0 release, the first version of a major release often has major bugs).
TL;DR don’t take too long to update to new releases, and don’t update too quickly!
Also, the docker image is often a day or so behind the new release, soNextcloud tells you an update is available but often you then need to wait until the next day to get the updated docker image. I guess this is because (as I’ve just learnt) the image is built by Docker not Nextcloud.
Nothing is exposed. There are things I want exposed, but I don’t want to keep security patches up to date, even if there is a zero day. I’m looking for someone trustworthy to hire for things that it would be useful to expose, but they are hard to find.
Just VPN back in with WireGuard.
I think it would be better if you just setup auto updating regardless
The only acessible element is the webserver. Fileserver, home automation, octopi, proxmox, media, etc etc are all isolate.
Everything critical is on lan (docs, passwords, media), everything else is on vps (gameserver, fediverse, websites). I dont mix these as I absolutely dont want to deal with a breakin. I assume they will get in so I airgap them more or less.
