Help me harden my home server
https://lemmy.sdf.org/post/24652924
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Wireguard is a VPN, so that’s not going to help you much here unless you’re forwarding all your traffic through a remote server, in which case anyone gets in there will still be able to get your local machines. It’s another hop in the chain, but that’s about it.
If you want to be more on guard about reacting to attacks, or just bad traffic, you probably want something like Crowdsec. You’ll at least be able to detect and ban IPs probing your services. If that’s too much work, leverage OoenWRT reporting and some scripting to ban bad actors that probe your firewall and open ports. That’s a good first step.
If you’re concerned about the containers, consider using something more secure than dockerd. Podman rootless with a dedicated service user is a good start. Then maybe look at something more complex: Kata, gvisor, lxc…etc. The goal being sandboxing the containers more to prevent jailbreaks.
=> More informations about this toot | More toots from just_another_person@lemmy.world
Thanks for the amazing reply and specially for the explanation regarding wireguard.
I didnt know about crowsec and kata containers, both amazing projects, I will definetely look into it and try to set them up.
Just one quick follow up question, when you mention dedicanted service user, do you mean its best to have a sepate user for each service, such as one for nginx, one for adguardhome and so on? Currently all of them run under the same user and I didnt think about this possibility before.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Yeah, so if you’re running rootless containers, they aren’t run by root, and for added security, you don’t want them run by your normal user because if they get broken, then they’d have access to what your user has access to. Just create another user that only runs containers, and doesn’t have access to your things or root.
=> More informations about this toot | More toots from just_another_person@lemmy.world
That makes a lot of sense. Thats also very easy to setup so I will do it tonight.
Thanks again for your amazing input!
=> More informations about this toot | More toots from miau@lemmy.sdf.org
The single best thing you can do security wise, is to NOT have any personal data on a web facing server.
Separate the data
Rereading it does look like you are doing the things right; so just audit what is on the public side. - your calendar and tasks- cool
Your photo and docs, do those need to be on there?
they are not accessible on the WAN
If they are on a server that is publicly accessible, please move them to a different location
Otherwise you sound like your doing well
=> More informations about this toot | More toots from satanmat@lemmy.world
That was a great answer, thank you so much!
Yes I didnt even notice the family photos and docs dont need to be on that same server. Initially I just put them there to act as a local file share. But you are absolutely right, moving them from the public server is the best thing I can do to protect them.
I will look into setting up a second server for the private stuff that is not publicluly accessible
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Also, this answer.
=> More informations about this toot | More toots from just_another_person@lemmy.world
If this server is publicly accessible and gets pwned, they can use it as a jump box for your internal devices.
=> More informations about this toot | More toots from Lyricism6055@lemmy.world
Thats a good point, I hadnt thought about it before. I like the possibility of sharing these files in my intranet but I suppose you are right.
Maybe I could use openwrt to split two networks, one for public stuff only, but my knowledge of networking is quite limited.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Yeah what you’re talking about is a DMZ, it still won’t help a ton if you don’t have strict firewall controls inside your network too.
I just use wireguard with firewall rules to restrict to just my server with my docker containers on it and my DNS
=> More informations about this toot | More toots from Lyricism6055@lemmy.world
Your photo and docs
At least in my case, it’s really handy to share photos with other family members. But certainly you don’t need all of them available on the same public service.
=> More informations about this toot | More toots from sugar_in_your_tea@sh.itjust.works
Thats a good point. Maybe I can get away with just temporary file sharing. So when someone wants something I can upload it to the server and send a link. I bet even nextcloud could do that.
Still way less scary then having everything on the server all the time
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Just close 443 and use VPN with ACME DNS challenges for your certs. That’ll help make it even more secure, nothing is full proof though and a VPN is a good first step
=> More informations about this toot | More toots from Lyricism6055@lemmy.world
Thanks for replying!
I do use dns challanges for renewing my certs. But I use port 443 for application data, not for certs.
Is a vpn always safer then a reverse proxy? Do you use wireguard or do you have any other options worth looking into?
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Is a vpn always safer then a reverse proxy?
Depends on what you trust, I guess.
A reverse proxy on a standard cert is a bigger target for automated scripts than a reverse proxy on a non-standard port. A VPN runs through the VPN’s authentication, whereas a reverse proxy relies on whatever that app’s authentication is. So whether it’s secure enough depends on the VPN configuration, what you’re hosting, etc.
I’m behind CGNAT, so I have limitations you don’t, but here’s my setup:
I like this approach because I can eat my cake (nice domain names instead of IPs and ports) and have it too (fast connection inside LAN, can disable reverse proxy if I want better security). You could get the same w/o the VPS if you skipped the first step, and if you require WireGuard VPN access outside the LAN, you get better security than a public-facing service.
=> More informations about this toot | More toots from sugar_in_your_tea@sh.itjust.works
I didnt mention on my original post but I do have a virtual machine on gcp, which I use to run mongodb. I didnt mention it because I am not too concerned with it, but mostly it follows the same practices, with the exception being that ssh is open and it has no private data in it.
But I suppose I could do something similiar to what you mentioned. The ideia of having and eating the cake is very nice. And if something goes wrong I could turn of public access and have the vpn still working.
I will consider implementing something like that as well, thanks a lot for sharing your thoughts!
=> More informations about this toot | More toots from miau@lemmy.sdf.org
I still use a reverse proxy, but to get into my network you need to be on VPN. It’s more secure for me I guess.
I use traefik forward auth, even inside my network on VPN, for an extra layer of security for some apps.
My opinion is that port 443 getting accidentally misconfigured by me is just too likely a scenario. With wireguard on my router I also am able to restrict traffic to ONLY my webserver and DNS servers for my devices.
So I guess that’s another positive of wireguard, you can use your own DNS servers for all your phones all the time and always have ad blocking with pihole or something similar, even on mobile.
=> More informations about this toot | More toots from Lyricism6055@lemmy.world
You might want to consider that backups only protect very old data from ransomware.
Ransomware works by getting on a machine and sitting for several months before activating. During that time, your data is encrypted but you don’t know because when you open a file, your computer decrypts it and shows you what you expect to see. So your backups are working but are saving files that will be lost once the ransom ware activates.
The only solution is to frequently manually verify the backup from a known safe computer. Years ago I looked for something to automate this but didn’t find it. (Something like a raspberry pi with no Internet that can only see the PC it’s testing, compares a known file, then touches the file so it gets backed up again.)
=> More informations about this toot | More toots from Blue_Morpho@lemmy.world
During that time, your data is encrypted but you don’t know because when you open a file, your computer decrypts it and shows you what you expect to see.
First time i hear of that. You sure? Would be really risky since you basically need to hijack the complete Filesystem communication to do that. Also for that to work you would need the private and public key of the encryption on the system on run time. Really risky and unlikely that this is the case imho.
=> More informations about this toot | More toots from ShortN0te@lemmy.ml
I don’t know much about ransomware but thats what got me concerned. I always assumed if I were to be infected, restic would just create a new snapshot for the files and Id be able to restore after nuking the server.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
I doubt that this is the case, whether it is encrypted or not. The complexity and risks involved with decrypting it on the fly is really unrealistic and unheard of by me (have not heard of everything but still)
Also the ransomware would also need to differentiate between the user and the backup program. When you do differentiated backups(like restic) with some monitoring you also would notice the huge size of the new data that gets pushed to your repo.
=> More informations about this toot | More toots from ShortN0te@lemmy.ml
I see, I appreciate you sharing your knowledge on the matter.
Yeah I thoght about the spike in size, which I would definetely notice because the amount of data is pretty stable and I have limited cloud storage.
Regarding your last point, I currently have everything under a user account: the data I am backing up, the applications and restic itself all run on the same user account. Would it be a good ideia to run restic as root? Or as a different service account?
=> More informations about this toot | More toots from miau@lemmy.sdf.org
You want your backup functional even if the system is compromised so yes another system is required for that, or through it to the cloud. Important that you do not allow deleting or editing of the backup even if the credentials used for backing up are compromised. Basically an append only storage.
Most Cloud Storage like S3 Amazon (or most other S3 compatible providers like backblaze) offer such a setting.
=> More informations about this toot | More toots from ShortN0te@lemmy.ml
Oh, now I get what you mean, thanks for the explanation
Yeah it makes sense, I had originally gone with onedrive for the much cheaper price but I will take a look into s3 compatible storage and consider migrating in the future.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Thanks a lot for your input. I honestly had not considered this possibility.
Others in the post recommended removing those important files from the public facing server so that in the case of an attack they wouldnt be exposed. So I will try and follow this recommendation asap.
But your answer still applies to everything else I will be hosting so I am concerned. I had no idea ransomware was this smart. I will research more about this topic, but basically if I access a file from two different servers and its fine it means the file is free from infection?
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Ransomware is unlikely for a individual as there isn’t a lot of payout. Not impossible but unlikely.
More likely that you computer will be used for other things.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
Just do what I do and consistently forget to set up DDNS and also be bad at noticing when your ISP juggles your IP address.
=> More informations about this toot | More toots from caseyweederman@lemmy.ca
Been there, done that lol, my ISP doesnt change my IP half as much as I should like, and I renew my certs half as often as they deserve.
Seriously though, I had certs expire twice until I finally decided to get this setup properly.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
It makes sense that Bilbo would run a homeserver.
=> More informations about this toot | More toots from caseyweederman@lemmy.ca
Why would you like your IP to change? My ISP never changed mine and I thank them for that
=> More informations about this toot | More toots from Mubelotix@jlai.lu
Get a VPS and route traffic into a isolated network
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
Admittedly I’m paranoid, but I’d be looking to:
All of the above is free, but past step 2 can be difficult to setup. The peace of mind once it is, however, is worth it to me.
=> More informations about this toot | More toots from TedZanzibar@feddit.uk
Thanks for your reply!
Suggestion 1 definetely does make a lot of sense and I will be doing exactly that asap. Its something I didnt think through before but that would make me much more in peace.
Suggestions 2-4 sound very reasonable, I have indeed searched for a way to self host a waf but didnt find much info. My only only concern with your points is… Cloudflare. From my understanding that would indeed add a lot of security to the whole setup but they would then be able to see everything going through my network, is that right?
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Yes and no? It’s not quite as black and white as that though. Yes, they can technically decrypt anything that’s been encrypted with a cert that they’ve issued. But they can’t see through any additional encryption layers applied to that traffic (eg. encrypted password vault blobs) or see any traffic on your LAN that’s not specifically passing through the tunnel to or from the outside.
Cloudflare is a massive CDN provider, trusted to do exactly this sort of thing with the private data of equally massive companies, and they’re compliant with GDPR and other such regulations. Ultimately, the likelihood that they give the slightest jot about what passes through your tunnel as an individual user is minute, but whether you’re comfortable with them handling your data is something only you can decide.
There’s a decent question and answer about the same thing here: community.cloudflare.com/t/…/28660
=> More informations about this toot | More toots from TedZanzibar@feddit.uk
Yes absolutely. For work most of my clients use cloudflare’s different services so I understand they have credibility.
For me though, part of the reason I self host is to get away from some big tech companies’ grasp. But I understand I am a bit extreme at times.
So thanks for opening my mind and pointing me to that very interesting discussion, as well as for sharing your setup, it sure seems to be very sound security wise.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Sounds exactly like my setup for the last 5 years, minus NGINX (don’t need it with Cloidflared since each service is it’s own Proxmos Container and use their own exclusive tunnels).
=> More informations about this toot | More toots from jjlinux@lemmy.ml
=> More informations about this toot | More toots from ShortN0te@lemmy.ml
We all need to decide for ourselves what we’re comfortable with and what we’re not and then implement appropriate measures to suit. I’m not sure why you’re arguing with me over how I setup my own services for my own use.
=> More informations about this toot | More toots from TedZanzibar@feddit.uk
Yes i do i and you do you. But advertising those things as security measures while not adding any real security is just snake oil and can result in neglecting real security measures.
As i said, the whole internet can be port scanned within seconds, so your services will be discovered, what is the risk you assume to have when your IP address is known and the fact that you host a service with it?
The service has the same vulnerabilities if it is hosted via cloudflare tunnels or directly via port forwarding on the router. So you assume that your router is not secure? Then unplug it, cause it is already connected to the router.
Geoblocking is useless for any threat actor. You can get access to VPN services or a VPS for very very very little money.
=> More informations about this toot | More toots from ShortN0te@lemmy.ml
Something you might want to look into is using mTLS, or client certificate authentication, on any external facing services that aren’t intended for anybody but yourself or close friends/family. Basically, it means nobody can even connect to your server without having a certificate that was pre-generated by you. On the server end, you just create the certificate, and on the client end, you install it to the device and select it when asked.
The viability of this depends on what applications you use, as support for it must be implemented by its developers. For anything only accessed via web browser, it’s perfect. All web browsers (except Firefox on mobile…) can handle mTLS certs. Lots of Android apps also support it. I use it for Nextcloud on Android (so Files, Tasks, Notes, Photos, RSS, and DAVx5 apps all work) and support works across the board there. It also works for Home Assistant and Gotify apps. It looks like Immich does indeed support it too. In my configuration, I only require it on external connections by having 443 on the router be forwarded to 444 on the server, so I can apply different settings easily without having to do any filtering.
As far as security and privacy goes, mTLS is virtually impenetrable so long as you protect the certificate and configure the proxy correctly, and similar in concept to using Wireguard. Nearly everything I publicly expose is protected via mTLS, with very rare exceptions like Navidrome due to lack of support in subsonic clients, and a couple other things that I actually want to be universally reachable.
=> More informations about this toot | More toots from bear@slrpnk.net
Wow, thats very, very nice. I didnt know this even existed.
But I suppose if it had widespread support it would be the perfect solution.
Firefox mobile not supporting it might be a dealbreaker though, since it is the browser I use and the one I persuaded all my friends and family to switch to…
But this is an incredibly interesting technology and I will surely look into implementing at least partially if that works.
Thanks a lot for sharing!
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Sounds like the clearnet equivalent to i2p encrypted lease sets
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
mTLS is great and it’s a shame Firefox mobile still doesn’t support it.
=> More informations about this toot | More toots from InEnduringGrowStrong@sh.itjust.works
does anyone have an actual horror story about anything happening via an exposed web service? let’s set aside SSH
=> More informations about this toot | More toots from slug@lemmy.world
Id like to know as well. I definetely dont want to be the first person of that story tough
Ive heard of someone who exposed the docker management port on the internet and woke up to malware running on their server. But thats of course not the same as web services.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Once a server is compromised there are lots of uses. Everything from DDOS attacks to obscuring attacks against other targets. An attacker doesn’t want to be discovered so they likely will hide as much as they can.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
Counter question
How would you know something went wrong? Do you monitor all the logs? Do you have alerting?
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
Yeah, a company got toasted because one of their admins was running Plex and had tautulli installed and opened to the outside figuring it was read-only and safe.
Zero day bug in tat exposed his Plex token. They then used another vulnerability in Plex to remote code execute. He was self-hosting a GitHub copy of all the company’s code.
=> More informations about this toot | More toots from linearchaos@lemmy.world
Last time they’ll ever do that! Pass the buck of hosting web-facing Plex servers onto somebody else.
=> More informations about this toot | More toots from conorab@lemmy.conorab.com
This guy was running a three year old version of Plex with a known (and later fixed RCE), and was working for LastPass.
=> More informations about this toot | More toots from mint_tamas@lemmy.world
Why don’t you use something like Tailscale? Other than that using non standard ports greatly reduces the risks of you getting compromised. The majority of attacks come from port scanners scanning for default ports and trying to use known vulnerabilities.
=> More informations about this toot | More toots from filister@lemmy.world
It’s great that you self host but security especially of service directly exposed to internet is very difficult. Use somekind of Direct VPN or services like tailscale etc
=> More informations about this toot | More toots from bear_cube@sh.itjust.works
Start with the basics:
=> More informations about this toot | More toots from bokherif@lemmy.world
To be even more explicit on the last point, that means regularly updating OpenWRT and all your containers, not just the server’s base OS
=> More informations about this toot | More toots from Skydancer@pawb.social
Is keeping everything inside of a local “walled garden”, then exposing the minimum amount of services needed to a WireGuard VPN not sufficient?
There would be be no attack surface from WAN other than the port opened to WireGuard
=> More informations about this toot | More toots from root@lemmy.world
Minimum open services is indeed best practice but be careful about making statements that the attack surface is relegated to open inbound ports.
Even Enterprise gear gets hit every now and then with a vulnerability that’s able to bypass closed port blocking from the outside. Cisco had some nasty ones where you could DDOS a firewall to the point the rules engine would let things through. It’s rare but things like that do happen.
You can also have vulnerabilities with clients/services inside your network. Somebody gets someone in your family to click on something or someone slips a mickey inside one of your container updates, all of a sudden you have a rat on the inside. Hell even baby monitors are a liability these days.
I wish all the home hardware was better at zero trust. Keeping crap in isolation networks and setting up firewalls between your garden and your clients can either be prudent or overkill depending on your situation. Personally I think it’s best for stuff that touches the web to only be allowed a minimum amount of network access to internal devices. Keep that Plex server isolated from your document store if you can.
=> More informations about this toot | More toots from linearchaos@lemmy.world
They aren’t going to go after your data. They will take over your machine and use it for there own purposes. This happens in a automated way and they can build botnets made of 1000’s of devices.
I would strongly suggest not opening any ports. Instead use a mesh VPN like Tailscale or Netbird. You could even access it over the dark web via i2p or Tor.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
Unless you are a diehard FOSS person or whatever I’d recommend only using reverse tunneling and leveraging cloudflares infrastructure for access and also authentication.
It’s crazy the amount of stuff they give away for free
=> More informations about this toot | More toots from Evotech@lemmy.world This content has been proxied by September (ba2dc).Proxy Information
text/gemini