this post was submitted on 31 Oct 2023
1 points (100.0% liked)

Self-Hosted Main

515 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

I have a personal domain name. I got it because my first name was available with my country tld.

I use it for email, which I will most likely keep forever, but how about my self-hosted stuff?

I use Slack's Nebula to access my self-hosted resources externally.

Would you mind exposing your VPS:es IP:s to the world by adding them as subdomains? In my case lighthouse1.myname.tld and lighthouse2.myname.tld?

I feel much more secure using DuckDNS for those IP:s as it should make it much harder to identify my attack surface.

Does it make sense or am I just paranoid?

I really don't like the idea of my attack surface being easily identifiable just by my email or first name.

top 8 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 1 year ago

It’s easy enough to run Authelia in front of all of your subdomains. Suddenly you’re back to one attack vector.

[–] [email protected] 1 points 1 year ago (1 children)

IPs are exposed to the world by default. Bots will happily sit there 24/7 scanning the entire IPv4 range, so you’re unlikely to see any impact from having a subdomain vs not. As others have said, you’re better off focusing on making sure your VPS is secure - SSH keys only, HTTPS only, reverse proxy with authentication and strong passwords, etc, maybe configuring the firewall to completely drop packets that aren’t from your home IP to non-VPN ports (and use a VPN from outside the house).

Alternatively, if it’s just you and maybe one or two others, you could look at something like Tailscale or Cloudflare Tunnel, in which case the VPS would be calling out to someone else to open a tunnel, and you wouldn’t need any ports open. That adds a dependency on someone else, though, which may not be ideal.

[–] [email protected] 1 points 1 year ago (1 children)

Yeah the IP:s are there for the world to see, but you won't easily know they belong to me unless I point to them from my domain.

I'm running a server at home without portforwarding. I connect to it using Nebula on VPS, which is like Tailscale without having to trust anyone.

[–] [email protected] 1 points 1 year ago

Yeah the IP:s are there for the world to see, but you won't easily know they belong to me unless I point to them from my domain.

As has been pointed out though, it makes no difference and no-one cares. No-one is manually cross referencing IP's and domains, and besides, what difference will it make anyway?

I've heard this argument before with someone saying they use DDNS on all customer sites instead of static IPs as it's "more secure" because there's a website out there with exposed desktops listed on it.

[–] [email protected] 1 points 1 year ago

What makes you think that DuckDNS will hide your ip?

[–] [email protected] 1 points 1 year ago (1 children)

My approach is using Nginx and wildcard subdomains. The specific subdomain name that accesses the service is not listed in DNS anywhere and just knowing the IP address doesn't get you anything since m.y.i.p:443 is just getting you an nginx landing page.

[–] [email protected] 1 points 1 year ago

ngl the wildcard sub idea is a good one

[–] [email protected] 1 points 1 year ago

Paranoid.

For ease of use though (especially if any of it is going to be public or semi public) having an alternate domain is nice.