Selfhosted

39965 readers

251 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

116

Help me harden my home server (lemmy.sdf.org)

submitted 2 days ago by [email protected] to c/[email protected]

59 comments fedilink hide all child comments

I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has "--net host", although the containers can access host services because they have the option "--map-guest-addr" set, so I don't know if this is any safer then "--net host".

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don't think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don't really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

(page 2) 9 comments

sorted by: hot top controversial new old

[–] [email protected] 0 points 2 days ago (3 children)

You might want to consider that backups only protect very old data from ransomware.

Ransomware works by getting on a machine and sitting for several months before activating. During that time, your data is encrypted but you don't know because when you open a file, your computer decrypts it and shows you what you expect to see. So your backups are working but are saving files that will be lost once the ransom ware activates.

The only solution is to frequently manually verify the backup from a known safe computer. Years ago I looked for something to automate this but didn't find it. (Something like a raspberry pi with no Internet that can only see the PC it's testing, compares a known file, then touches the file so it gets backed up again.)

[–] [email protected] 1 points 2 days ago (1 children)

During that time, your data is encrypted but you don't know because when you open a file, your computer decrypts it and shows you what you expect to see.

First time i hear of that. You sure? Would be really risky since you basically need to hijack the complete Filesystem communication to do that. Also for that to work you would need the private and public key of the encryption on the system on run time. Really risky and unlikely that this is the case imho.

[–] [email protected] 1 points 2 days ago (5 children)

I don't know much about ransomware but thats what got me concerned. I always assumed if I were to be infected, restic would just create a new snapshot for the files and Id be able to restore after nuking the server.

load more comments (5 replies)

[–] [email protected] 0 points 2 days ago

Ransomware is unlikely for a individual as there isn't a lot of payout. Not impossible but unlikely.

More likely that you computer will be used for other things.

load more comments (1 replies)

load more comments