Self-Hosted Main

515 readers

1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 1 year ago

MODERATORS

communick@selfhosted.forum

How to confirm home server security (alien.top)

submitted 11 months ago by zubitti@alien.top to c/main@selfhosted.forum

8 comments fedilink hide all child comments

Is there a way to confirm that my home server's security is sufficient for most common attacks?

Externally, I only have the ports 80, 443 (Nginx-Proxy-Manager) and 51829 (Wireguard VPN) enabled on the router.

I have a Rpi4 and a mini PC connected to the router via ethernet cable. And I am using NPM for reverse proxy. Also enabled SSL for local DNS so I don't have to keep typing the IP addresses for each server.

All my apps are docker containers and they all use network_mode: bridge.

And finally, I have only two services open to internet. The media server and the Wireguard VPN. Got the free DuckDNS domains and configured in the NPM.

I haven't done any specific firewalls. Just using default Debian 12 settings and default Docker engine settings.

top 8 comments

sorted by: hot top controversial new old

[–] Anycast@alien.top 1 points 11 months ago

Minor security through obscurity thing you could implement: buy you own domain through cloudflare for ~$10/year. Use their proxy so that your public IP doesn’t resolve to your home public IP like it does now with DuckDNS. If you want to get fancy, you can also use their API with fail2ban to block connections after a predefined number of login failures.

[–] Outrageous_Plant_526@alien.top 1 points 11 months ago

Go to public.cyber.mil and download the appropriate stigs for your stuff, review them, and apply the settings. Always a good start to improving the security.

[–] Cybasura@alien.top 1 points 11 months ago

I recommend you dont touch network_mode unless you absolutely need it

Most services shouldnt need the network_mode, just gotta port forward/translate most of the time

[–] kindrudekid@alien.top 1 points 11 months ago (1 children)

Audit-ssh and testssl.

Audit ssh shows all the algorithm in use and setting and shows then colored format like red bad and so on…

Same with testssl, which tls supported ? Https redirect ? What cipher suites etc … again all color coded.

Both available via homebrew for Mac.

If you use Mozilla recommended for ssh and ssl you should be fine

[–] chaplin2@alien.top 1 points 11 months ago

Frankly these are useless. SSH is secure by default and will never support algorithms that could be possibly broken. Same for TLS 1.3

[–] ithilelda@alien.top 1 points 11 months ago

yes, there are professional third party cybersecurity auditors you can hire, but I doubt anyone here would ever need them.

Please people, stop being paranoid about your security. close up all unnecessary ports, and that's what you can do on your end. whatever else, if the service binding to an open port has security vulnerabilities you don't know, the project team may very well be unaware of it either, and there's nothing you could do.

also, if you have multiple users using your service, then it's their password strength that you should be worrying the most, not your infrastructure.

[–] peekeend@alien.top 1 points 11 months ago

Check Wazuh and Greenbone, but it requires a high learning curve so have fun learning the basics

[–] PassiveLemon@alien.top 1 points 11 months ago

Sounds very similar to my setup. All I would recommend is SSH through keys (and disable root login) and don’t put everything into the Docker network bridge. If you have containers that need a database or other container(s), make a network for those.

Obviously keep up to date with new updates. There are many services that can automatically notify you for updates like Watchtower. You can also set it up automatically update the container but it’s not always recommended in case of breaking changes.