Selfhosted

53057 readers

649 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

141

Using Fail2ban to protect exposed services (arvind.io)

submitted 1 week ago by paequ2@lemmy.today to c/selfhosted@lemmy.world

32 comments fedilink hide all child comments

I'm wondering if I'm starting to outgrow Tailscale... my wife keeps having networking issues on Android due to Tailscale, the Nvidia Shield kills the Tailscale app randomly, and my parents' TV doesn't have a Tailscale app...

I feel like the time is approaching to publicly expose some of my services to the internet...

Any other tips?

you are viewing a single comment's thread
view the rest of the comments

[–] shadshack@sh.itjust.works 11 points 1 week ago* (last edited 1 week ago) (1 children)

If you're looking to actually do Fail2ban, look into crowdsec first. It's a similar concept but instead of creating your own block lists by people hammering against your system until they're banned, it uses community-populated lists to pre-ban known bad actors.

I know a lot of people shit on it from a decentralization perspective, but I use Cloudflare to expose all my services. Then anyone who hits my sites has to go through Cloudflare's detections first. I have all my services behind a reverse proxy (nginx proxy manager) running locally, and that's the only though exposed to the Internet through my router, also that ONLY allows connections at all from Cloudflare IPs or my local network. My home IP is obfuscated, my services can only be accessed using the ports I define, and things are happy. I also block as much as possible on my router, and have automatic updates on all my server VMs/LXCs.

You could also set up a Cloudflare tunnel to go to the reverse proxy and avoid needing to expose anything to the direct Internet.

Just turn off caching for any media servers domains/subdomains if you go with Cloudflare, or else it will try to cache any media on their servers and it's technically a ToS violation so people get their accounts banned. It's a simple setup to disable cache though.

[–] rainwall@piefed.social 4 points 1 week ago* (last edited 1 week ago) (1 children)

Crowdsec is absolutetly the way to go. Just be aware you need the engine and what they call a "bouncer" both running, but they have easy instructions about how to install both.

[–] Appoxo@lemmy.dbzer0.com 2 points 6 days ago

Theres also a plugin for opnsense which is pretty much plug'n'play.
But iz doesnt have access to service access logs so it will be a bit more handicapped.