Paranoia Level: Virtualization or Isolated Machines for Self-Hosting?
https://lemmy.world/post/23071801
=> More informations about this toot | More toots from TCB13@lemmy.world
I have a server that I run services through traefik/docker on.
It ALSO has a drive that is a MIRROR of my NAS.
that NAS has a lil slavey twin, an external 14tb USB HDD. It’s on my laptop.
Every time my laptop is idle, It does a little rsync with the servers NAS to stay current.
I keep a 3rd copy (mirroring server NAS) in the cloud.
=> More informations about this toot | More toots from foggy@lemmy.world
I don’t have anything publically accesible on my network (other than wireguard), but if I did I’d just put whatever it was on its own VLAN, run a wireguard server on it, and use a VPS as a reverse proxy that connects to it.
=> More informations about this toot | More toots from gaylord_fartmaster@lemmy.world
So you do trust LXC isolation to the point of thinking that it would be close to impossible to compromise your host?
=> More informations about this toot | More toots from TCB13@lemmy.world
I’m not really worried about it. Each LXC runs as its own user on the host, and they only have access to what they need to run each service.
If there’s an exploit found that makes that setup inherently vulnerable then a lot of people would be way more screwed than I would.
=> More informations about this toot | More toots from gaylord_fartmaster@lemmy.world
If there’s an exploit found that makes that setup inherently vulnerable then a lot of people would be way more screwed than I would.
Fair enough ahah
=> More informations about this toot | More toots from TCB13@lemmy.world
Nothing is impossible to compromise. It’s about making it not worth it (why go after some home lab when they can use the same methods to extort milliions of dollars?).
=> More informations about this toot | More toots from macroplastic@sh.itjust.works
I just run Docker and my router maps ports to it. Container isolation and a basic firewall is more than enough for me.
Like are we talking what’s good enough security for hosting an anime waifu tier list blog or good enough security for a billion dollar corporation?
=> More informations about this toot | More toots from Breve@pawb.social
are we talking what’s good enough security for hosting an anime waifu tier list blog or good enough security for a billion dollar corporation?
You tell me. :)
What would you do/trust in both situations?
=> More informations about this toot | More toots from TCB13@lemmy.world
Well from personal experience with a small website the biggest things you have to deal with are web crawlers trying to vacuum up every last ounce of data they can find and web crawlers trying to find obvious backdoors like trying default WordPress logins (even if you’re not running WordPress). Make sure your software is properly configured and up to date and you’re safe. Some isolation is still a good idea but don’t lose sleep on which one because they’re all still overkill in this case.
On the other hand if you’re running a service that would be actively targeted by a large government enforcement agency or some other very wealthy and highly motivated entity, then complete physical isolation would be the only acceptable answer but with even more protocols to prevent contamination or identification as there have been attacks demonstrated that could infiltrate even air-gapped environments and that’s assuming you could hide it well enough.
Keep in mind if you want to use any of these technologies because you want to learn them or just think they’re neat, then please do! I suspect a lot of people with these types of home setups are doing it mostly for that reason and not because it is absolutely necessary for security purposes.
=> More informations about this toot | More toots from Breve@pawb.social
because you want to learn them or just think they’re neat, then please do! I suspect a lot of people with these types of home setups are doing it mostly for that reason
That’s an interesting take.
=> More informations about this toot | More toots from TCB13@lemmy.world
Your billion dollar corporations aren’t running dedicated hardware. That would be very expensive and impossible to manage.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
Are you sure? A big bank usually does… It’s very common to see groups of physical machines + public cloud services that are more strictly controlled than others and serve different purposes. One group might be public apps, another internal apps and another HVDs (virtual desktops) for the employees.
=> More informations about this toot | More toots from TCB13@lemmy.world
Are you setting up a big bank?
Also banking IT is kind if a joke. I haven’t worked at a bank but I’ve head stories.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
Your billion dollar corporations aren’t running dedicated hardware
You said it, some banks are billion dollar corporations :)
=> More informations about this toot | More toots from TCB13@lemmy.world
Ok, I meant thinks like AWS and Azure
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
A VM is practically as secure as a dedicated machine. I mean in theory it isn't. But in practice, that's how everybody does it, including the big tech companies. And there's rarely any dangerous vulnerabilities.
It all depends on how you set it up. If the machines are in the same subnet and can see each other. If you didn't set some permissions right. Or there is a vulnerability in the software or the way it's installed...
=> More informations about this toot | More toots from hendrik@palaver.p3x.de
My guy you forgot vpns
=> More informations about this toot | More toots from sepi@piefed.social
Is that still… self-hosting? In that case you would be hosting in a cloud company so…
=> More informations about this toot | More toots from TCB13@lemmy.world
You've never hosted your own vpn?
=> More informations about this toot | More toots from sepi@piefed.social
If you’re using a VPN from Amazon, Digital Ocean or wtv you’re by definition not self-hosting.
=> More informations about this toot | More toots from TCB13@lemmy.world
What part of "self hosting" that I mentioned above goes through a provider? Or do you only know like NordVPN?
=> More informations about this toot | More toots from sepi@piefed.social
Sorry, I misread your first comment. I was thinking you said “VPS”. :)
=> More informations about this toot | More toots from TCB13@lemmy.world
What about VPNs
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
I go with scenario 1 because it radically reduces the ways I can screw things up for myself.
=> More informations about this toot | More toots from zod000@lemmy.ml
Use defense in depth when possible. What you are describing wouldn’t work for any bigger setup as Proxmox clusters trust the underlying hosts. Also the chances of a hypervisor escape is very small. Chances are your weakest point will not be the hypervisor.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
What you’re describing is scenario 2.
=> More informations about this toot | More toots from TCB13@lemmy.world
That’s what pretty much everyone uses
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
I appreciate the sentiment here, though I would agree that it is certainly paranoid 😅. I think if you’re careful with that you self host, where you install it from, how you install it and then what you expose, you can keep things sensible and reasonably secure without the need for strong isolation.
I keep all of my services in my k3s cluster. It spans 4 PCs and sits in its own VLAN. There isn’t any particular security precautions I take here. I’m a developer and can do a reasonable job verifying each application I install, but of course accept the risk of running someone else’s software in my homelab.
I don’t expose anything except Plex publicly. Everything else goes over Tailscale. I practise 3-2-1 backups with local disks and media as well as offsite to Backblaze. I occasionally offsite physical media backups as well.
I’d be interested to see what others think about this… most hosting solutions leave it all open my default. I think there’s a lot of small and easy ways one can practice good lab hygiene without air-gapping.
=> More informations about this toot | More toots from perry@aussie.zone
You’re on a scenario 2.B mostly, same as me. That’s the most flexible yet secure design.
=> More informations about this toot | More toots from TCB13@lemmy.world
Have you heard of Qubes?
=> More informations about this toot | More toots from Grappling7155@lemmy.ca
Wow hold your horses Edward Snowden!.. but at the end of the day Qubes is just a XEN hypervisor with a cool UI.
=> More informations about this toot | More toots from TCB13@lemmy.world This content has been proxied by September (3851b).Proxy Information
text/gemini