Selfhosted

53057 readers

649 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

141

Using Fail2ban to protect exposed services (arvind.io)

submitted 1 week ago by paequ2@lemmy.today to c/selfhosted@lemmy.world

32 comments fedilink hide all child comments

I'm wondering if I'm starting to outgrow Tailscale... my wife keeps having networking issues on Android due to Tailscale, the Nvidia Shield kills the Tailscale app randomly, and my parents' TV doesn't have a Tailscale app...

I feel like the time is approaching to publicly expose some of my services to the internet...

Any other tips?

you are viewing a single comment's thread
view the rest of the comments

[–] paequ2@lemmy.today 6 points 1 week ago* (last edited 1 week ago) (2 children)

Harden your server first

Do you have any tutorials or guides on this handy?

Use your router/server to block some counties using geoip

Yeah, definitely all my users are in the same town/region/country as me. So this could be doable.

Configure rate limits in Nginx

Hm, currently using Caddy as my reverse proxy. I guess there's some module for this.

only open ports in your firewall you really want to open

The only port I need open is 443 for accessing Jellyfin and Immich. I can definitely block 22 from the public internet. And fuck it no automatic redirects from 80 to 443. TLS or bust.

[–] melroy@kbin.melroy.org 7 points 1 week ago

Caddy is also fine.

I wrote a blog about server hardining and you might find it useful: https://blog.melroy.org/2023/server-hardening/

[–] irmadlad@lemmy.world 4 points 1 week ago* (last edited 1 week ago)

Do you have any tutorials or guides on this handy?

Now that's a deeeeep rabbit hole. I tend to go overboard on hardening and security, however, one good place to start is installing Lynis and run a scan. Lynis will spit out a rather extensive list of areas you need to harden or adjust and a score for your server. It will also give links where you can go and read up on the specific item in question. Now, not every one of the bullets in the list will apply, but you should give each careful consideration. Lynis is Free and Open Source Software (FOSS).

Site: https://cisofy.com/lynis/
Install: apt-get install lynis
Run: lynis audit system

I ran a scan just for demonstration purposes so you can see what the end results are. This is just a snippet:

spoiler

  * Configure minimum password age in /etc/login.defs [AUTH-9286]
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286]
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
      https://cisofy.com/lynis/controls/AUTH-9328/

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]
      https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310]
      https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
      https://cisofy.com/lynis/controls/FILE-6310/

Be mindful of where you get your hardening tutorials. There are hundreds of thousands out there. I would stick with authoritative sources.

ETA: I would also recommend reading up on Cloudflare Tunnels/ZeroTrust. I know some people are iffy about Cloudflare and I see their points. It's worth a read in my opinion.