this post was submitted on 24 Jul 2024
117 points (99.2% liked)

Selfhosted

40445 readers
270 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Opening your router to the Internet is risky. Are there any guides for the basics to keep things secure? Things like setting up fail2ban? My concern is that I'll forget something obvious.

Edit: I haven't had much of a chance to read through everything yet, but I really appreciate all these long, detailed responses. ❤️ Thanks folks!

all 25 comments
sorted by: hot top controversial new old
[–] [email protected] 45 points 4 months ago (1 children)

I hear you can get a pretty good offer from CrowdStrike these days.

[–] [email protected] 36 points 4 months ago (1 children)

Anything exposed to the internet will be found by the scanners. Moving ssh off of port 22 doesn’t do anything except make it less convenient for you to use. The scanners will find it, and when they do, they will try to log in.

(It’s actually pretty easy to write a little script to listen on port 20 (telnet) and collect the default login creds that the worms so kindly share)

The thing that protects you is strong authentication. Turn off password auth entirely, and generate a long keypair. Disable root login entirely.

Most self-hosted software is built by hobbyists with some goal, and rock solid authentication is generally not that goal. You should, if you can, put most things behind some reverse-proxy with a strong auth layer, like Teleport.

You will get lots of advice to hide things behind a vpn. A vpn provides centralized strong authentication. It’s a good idea, but decreases accessibility (which is part of security) - so there’s a value judgement here between the strength of a vpn and your accessibility goals.

Some of my services (ssh, wg, nginx) are open to the internet. Some are behind a reverse proxy. Some require a vpn connection, even within my own house. It depends on who it’s for - just me, technical friends, the world, or my technically-challenged parents trying to type something with a roku remote.

After strong auth, you want to think about software vulnerabilities - and you don’t have to think much, because there’s only one answer: keep your stuff up to date.

All of the above covers the P in PICERL (pick-uh-rel) for Prepare. I stands for Identify, and this is tricky. In an ideal world, you get a real-time notification (on your phone if possible) when any of these things happen:

  • Any successful ssh login
  • Any successful root login
  • If a port starts listening that you didn’t expect
  • If the system watching for these things goes down (have two systems that watch each other)

That list could be much longer, but that’s a good start.

After Identification, there’s Contain + Eradicate. In a homelab context, that’s probably a fresh re-install of the OS. Attacker persistence mechanisms are insane - once they’re in, they’re in. Reformat the disk.

R is for recover or remediate depending on who you ask. If you reformatted your disks, it stands for “rebuild”. Combine this with L (lessons learned) to rebuild differently than before.

To close out this essay though, I want to reiterate Strong Auth. If you’ve got strong auth and keep things up to date, a breach should never happen. A lot of people work very hard every day to keep the strong auth strong ;)

[–] [email protected] 4 points 4 months ago

This is an excellent comment, thanks for writing this up

[–] [email protected] 33 points 4 months ago* (last edited 4 months ago) (1 children)

It depends on what you're self-hosting and If you want / need it exposed to the Internet or not. When it comes to software the hype is currently setup a minimal Linux box (old computer, NAS, Raspberry Pi) and then install everything using Docker containers. I don't like this Docker trend because it 1) leads you towards a dependence on property repositories and 2) robs you from the experience of learning Linux (more here) but I it does lower the bar to newcomers and let's you setup something really fast. In my opinion you should be very skeptical about everything that is "sold to the masses", just go with a simple Debian system (command line only) SSH into it and install what you really need, take your time to learn Linux and whatnot.

Strictly speaking about security: if we're talking about LAN only things are easy and you don't have much to worry about as everything will be inside your network thus protected by your router's NAT/Firewall.

For internet facing services your basic requirements are:

  • Some kind of domain / subdomain payed or free;
  • Preferably Home ISP that has provides public IP addresses - no CGNAT BS;
  • Ideally a static IP at home, but you can do just fine with a dynamic DNS service such as https://freedns.afraid.org/.

Quick setup guide and checklist:

  1. Create your subdomain for the dynamic DNS service https://freedns.afraid.org/ and install the daemon on the server - will update your domain with your dynamic IP when it changes;
  2. List what ports you need remote access to;
  3. Isolate the server from your main network as much as possible. If possible have then on a different public IP either using a VLAN or better yet with an entire physical network just for that - avoids VLAN hopping attacks and DDoS attacks to the server that will also take your internet down;
  4. If you're using VLANs then configure your switch properly. Decent switches allows you to restrict the WebUI to a certain VLAN / physical port - this will make sure if your server is hacked they won't be able to access the Switch's UI and reconfigure their own port to access the entire network. Note that cheap TP-Link switches usually don't have a way to specify this;
  5. Configure your ISP router to assign a static local IP to the server and port forward what's supposed to be exposed to the internet to the server;
  6. Only expose required services (nginx, game server, program x) to the Internet us. Everything else such as SSH, configuration interfaces and whatnot can be moved to another private network and/or a WireGuard VPN you can connect to when you want to manage the server;
  7. Use custom ports with 5 digits for everything - something like 23901 (up to 65535) to make your service(s) harder to find;
  8. Disable IPv6? Might be easier than dealing with a dual stack firewall and/or other complexities;
  9. Use nftables / iptables / another firewall and set it to drop everything but those ports you need for services and management VPN access to work - 10 minute guide;
  10. Configure nftables to only allow traffic coming from public IP addresses (IPs outside your home network IP / VPN range) to the Wireguard or required services port - this will protect your server if by some mistake the router starts forwarding more traffic from the internet to the server than it should;
  11. Configure nftables to restrict what countries are allowed to access your server. Most likely you only need to allow incoming connections from your country and more details here.

Realistically speaking if you're doing this just for a few friends why not require them to access the server through WireGuard VPN? This will reduce the risk a LOT and won't probably impact the performance. Here a decent setup guide and you might use this GUI to add/remove clients easily.

Don't be afraid to expose the Wireguard port because if someone tried to connect and they don't authenticate with the right key the server will silently drop the packets.

Now if your ISP doesn't provide you with a public IP / port forwarding abilities you may want to read this in order to find why you should avoid Cloudflare tunnels and how to setup and alternative / more private solution.

[–] Sethayy 15 points 4 months ago (1 children)

I skimmed over your entire comment minus the part about docker, so if you answered this somewhere and I'm a dumbass I already accept fault,

that being said docker has taught me more about Linux than anything else, cause its like a micro Linux you can reliably bring up and take down on demand, without requiring risking breaking your GUI or something scary

[–] [email protected] 6 points 4 months ago* (last edited 4 months ago) (1 children)

Oh well, If you think you're good with Docker go ahead use it, it does work but has its own dark side...

cause its like a micro Linux you can reliably bring up and take down on demand

If that's what you're looking for maybe a look Incus/LXD/LXC or systemd-nspawn will be interesting for you.

I hope the rest can help you have a more secure setup. :)

Another thing that you can consider is: instead of exposing your services directly to the internet use a VPS a tunnel / reverse proxy for your local services. This way only the VPS IP will be exposed to the public (and will be a static and stable IP) and nobody can access the services directly.

client ---> VPS ---> local server

The TL;DR is installing a Wireguard "server" on the VPS and then have your local server connect to it. Then set something like nginx on the VPS to accept traffic on port 80/443 and forward to whatever you've running on the home server through the tunnel.

I personally don't think there's much risk with exposing your home IP as part of your self hosting but some people do. It also depends on what protection your ISP may offer and how likely do you think a DDoS attack is. If you ISP provides you with a dynamic IP it may not even matter as a simple router reboot should give you a new IP.

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)

I think there's a lot of risk exposing your home IP with services behind it. Last time I did it, within minutes the router got slammed with requests trying to break into services. It actually impacted router performance.

Great writeup!

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

That looks like a DDoS, for instance that doesn't ever happen on my ISP as they have some kind of DDoS protection running akin to what we would see on a decent cloud provider. Not sure of what tech they're using, but there's for certainly some kind of rate limiting there.

  1. Isolate the server from your main network as much as possible. If possible have then on a different public IP either using a VLAN or better yet with an entire physical network just for that - avoids VLAN hopping attacks and DDoS attacks to the server that will also take your internet down;

In my case I can simply have a bridged setup where my Internet router get's one public IP and the exposed services get another / different public IP. If there's ever a DDoS, the server might be hammered with request and go down but unless they exhaust my full bandwidth my home network won't be affected.

Another advantage of having a bridged setup with multiple IPs is that when there's a DDoS/bruteforce then your router won't have to process all the requests coming in, they'll get dispatched directly to your server without wasting your router's CPU.

As we can see this thing about exposing IPs depends on very specific implementation detail of your ISP or your setup so... it may or may not be dangerous.

[–] [email protected] 9 points 4 months ago (1 children)

Definitely look into fail2ban. There might be something newer out there, but something like that is essential for running open WAN ports.

[–] [email protected] 14 points 4 months ago (1 children)

Forget fail2ban, use crowdsec instead. It is a kind of next generation fail2ban ☝🏻😃

[–] [email protected] 2 points 4 months ago (1 children)

Is that something like Crowdstrike? ;)

[–] [email protected] 2 points 4 months ago

Nope, that are two different things, but if you want to crash your server just run sudo rm -rf /etc && sudo rm -rf /var This is fun enough 😃

[–] [email protected] 6 points 4 months ago* (last edited 4 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
LXC Linux Containers
NAS Network-Attached Storage
NAT Network Address Translation
SSH Secure Shell for remote terminal access
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #884 for this sub, first seen 24th Jul 2024, 19:35] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 5 points 4 months ago* (last edited 4 months ago) (1 children)

Depends on your approach, but only open the minimum amount of ports necessary. Fail2ban is a good idea.

Consider a strict default deny iptables that also affects the output table - in case someone does get in, this will limit the damage one can do by making it part of a botnet.

Personally I like to isolate any exposed servers on its own vlan, so in case of compromise, it won't affect any of the other hardware I'm running.

Also, most routers have less strict security if the connection is coming from the inside. Make sure any access methods to your router is secure.

[–] [email protected] 2 points 4 months ago

Also, most routers have less strict security if the connection is coming from the inside. Make sure any access methods to your router is secure.

Damn good point. Use the same security internally as externally.

[–] [email protected] 3 points 4 months ago

So, no-one's mentioned tailscale. If it's just for you, or some select friends, it's probably the least friction to get secure access to your home network. Still, gotta check your threat matrix, do you really need it, is it really worth it for that occasional, maybe hypothetical usage ? Least access is best security...

[–] [email protected] 2 points 4 months ago

Isolate it all and keep on top of security advisories and updates

[–] [email protected] 1 points 4 months ago (1 children)

You can use cloudflare tunnels which skips having to open ports and can also proxy the connection so people can't find your home IP address depending on what services you're setting up

[–] [email protected] 1 points 4 months ago (1 children)

Obligatory Cloudflare notice

[–] [email protected] 2 points 4 months ago (1 children)
[–] [email protected] 7 points 4 months ago (1 children)

People don't like centralizing the Internet in a single service. There's nothing wrong with the product. It works great and is much more secure than opening ports in your home network. This community is just more biased toward decentralization and privacy, which is a common reason for people to start self hosting.

I think wireguard can allow you to set up a similar external connection with some extra steps. This would remove Cloudflare from the loop.

[–] [email protected] 1 points 4 months ago

Oh got it, I use wire guard as a VPN for services that only I need but for things I share with multiple people I use cloudflare tunnel after learning about it from youtube tutorials