this post was submitted on 28 Nov 2023
3 points (100.0% liked)

Self-Hosted Main

502 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
[email protected]
3
Looking for suggestions to limit access to a public self-hosted page (alien.top)
submitted 9 months ago by [email protected] to c/[email protected]
9 comments fedilink hide all child comments
 

I'm looking to open up a site with a login portal to the internet, but I'm hoping to avoid the page getting scanned too much and avoid bruteforce attempts on the login. I know there are some solutions that already exist like Fail2Ban, but I'm hoping for something different if it exists.

My thinking is that I'd like to put an IP filter on the page, but that I could "automate" adding IP addresses somehow. I was thinking I could have some sort of authentication server where I could email someone a unique URL that they would click on and provide some kind of information confirming that they're who they say they are. Once confirmed, the public IP that was used to access the unique URL would be added to a whitelist that would allow access to the login portal.

Is there a service that exists that could do something like this? I had a quick look at Authelia and SuperTokens, but I'm not sure if that's what I'm looking for.

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 9 months ago (1 children)

It sounds like you just want email auth. Also known as passwordless login. Also known as magic link.

Fail2ban is a much more robust solution than automated up whitelisting. You are gonna have so many issues with that. What if someone opens your site from a coffee shop, or their isp changes their IP address with a router restart? You'd have to reauth that client. But then you'd also still be allowing the old ip.

I don't think automated whitelisting is "a thing". Mostly because an IP is not an identity so it's woefully insufficient to authenticate people.

Also brute forcing should be handled by whatever handles auth by rate limiting auth requests by ip.

[–] [email protected] 1 points 9 months ago (1 children)

Thanks for the insight. I'm not worried about people logging in from different locations to be honest. The access would pretty much just be for the day then that's it. My main concern (or I guess I could say wish) is that I can leave the site "exposed" to the internet without having a bunch of bots scanning it all the time. So I was hoping for some kind of solution where the site would be completely hidden until someone authenticates themselves. I mentioned IP whitelisting because that's all I could think of, but maybe there would be another way? Or maybe what I'm asking just isn't possible?

[–] [email protected] 1 points 9 months ago

leave the site "exposed" to the internet without having a bunch of bots scanning it all the time

This is not a thing. Everything exposed to the public internet will be scanned constantly forever.

You can reduce your attack surface by limiting the software/ports you expose, or by having another service/computer act as a proxy. This is what Cloudflare does as their main business.

You can get 99% of the benefit you seek by just signing up for the free version of Cloudflare and putting them in front of your webserver. You can configure the firewall on your webserver to only allow access to Cloudflare's servers and let Cloudflare deal with the bots.

Another approach would be to store data on AWS S3 or similar with a time-limited URL with a short expiration date, that you provide only to approved parties. You wouldn't even need to run a public server to do this, and access will automatically be denied after the time period you specify. (This might make more sense if you're distributing big files, versus displaying a screen or two full of information.)

You could also do a web search for "port knocking; or configure client-side TLS certificates, which can be difficult to manage but would allow you to restrict full access to your server. (still vulnerable to DDoS, though)

[–] [email protected] 1 points 9 months ago (1 children)

I'm using Cloudflare Applications (part of Zero Trust) for this. You can add multiple login methods (email, Google, Facebook, Github, ect) and also IP addresses. I think it's also possible to accept someone when they request access. It's very easy to set-up and will also prevent brute force attacks. You can protect a whole application but it's also possible to protect specific paths.

[–] [email protected] 1 points 9 months ago

Can you restrict access to certain Google accounts?

[–] [email protected] 1 points 9 months ago

Cloudflare Access would be the simplest solution imo. You just add their email address to the whitelist and have them access the site, they'll have to enter their email and then they will get a one time code sent to their email which then they could authenticate with.

[–] [email protected] 1 points 9 months ago

I am using NPM + Authelia for this

[–] [email protected] 1 points 9 months ago

You can set up mod_security to rate limit access from a single IP. If you want to go one level higher, you can configure mod_security with WAF capabilities. There's plenty of examples of this.

[–] [email protected] 1 points 9 months ago

Maybe use cloudflare, then create a firewall rule that limits connections to 80/443 inbound ONLY from Cloudflares subnets?

You can then get some pretty decent metrics and they even have a bot filter along other stuff