this post was submitted on 08 Jan 2025
31 points (97.0% liked)

Self Hosted - Self-hosting your services.

11699 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Cross-posting

If you see a rule-breaker please DM the mods!

founded 3 years ago
MODERATORS
 

Can the vps provider not read everything on your server, unless it's explicitly encrypted?

I'm asking because I'm interested in self-hosting mainly as a way to get privacy respecting services where good hosted ones don't exist. I'm not sure I really want to deal with running my own hardware

all 33 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 6 days ago

They have full access to the hardware, everything on it, and all traffic going to/from it. So you need to trust the provider you use somewhat.

If you just want privacy from the usual online services by running some of your own stuff, then that's totally fine.

[–] [email protected] 5 points 6 days ago (2 children)

you dont need to run a server. get a mini pc, set it up, iron out the issues and it will run perfectly fine if you dont fuck with it.

there are a few tasks like updating it, but it can be set up to do it by itself. it doesnt need stellar reliability, just regular backups.

[–] [email protected] 2 points 5 days ago

Now the mini pc is a server!

[–] [email protected] 1 points 6 days ago (2 children)

Idk how to even attach it to a domain

[–] [email protected] 4 points 5 days ago

yeah theres a learning process before you can set it and forget if you dont have prior experience.

[–] [email protected] 3 points 5 days ago

The networking aspect will likely be the trickiest, but if you're already interested in administrating a VPS you can absolutely do it.

  1. Have an ISP that doesn't block inbound connections. So far both Comcast and Verizon have been cool to me in that regard.
  2. Configure your router to always give your host machine the same internal-network IP address.
  3. Configure your router to forward any relevant ports (TCP/80 for insecure HTTP, e.g.) to the internal address you assigned to your host.
  4. Go to ifconfig.me or similar to ascertain your public Internet IP address.
  5. Buy a domain (Namecheap has been good to me for a decade) and change its A record to point to that address!

Not hard, but not exactly uncomplicated either.

[–] [email protected] 2 points 5 days ago

Why would they.

Their core business is hosting.

[–] [email protected] 3 points 6 days ago

I use 2 VPN with my setup:

  1. The private one, hosted on a VPS (OVHcloud). I set it up my self. It's a bit of work, as you need to take care of properly setting up firewall and reasonably security this server as it is directly facing the Internet. OVH provids some good guides on their website and you can find other resources. You can rent the lowest tire VPS and deploy Debian and Wireguard and you're all set ! This VPN is for connecting to my NAS at home from outside, and also for secure Internet browsing from public WiFi. This is my own VPN for me and myself (plus my family to a lesser extent).
  2. The one for Torrenting exclusively Linux ISO of course. This one is a Nord on subscription, and the benefits is not really privacy IMO but rather to be drown into the traffic of thousands of other users.
[–] [email protected] 1 points 5 days ago

It's not, but tls encryption cannot be read by a man in the middle. So feel free to use a vps as a way to shield your ip

[–] [email protected] 2 points 6 days ago

I had similar concerns in the past. I decided to move all of my VPS hosted services to a physical server that I control. I then use a VPS as a portal, set to simply forward traffic without unencrypting the HTTPS. Look up SSL pass through.

[–] [email protected] 25 points 1 week ago (1 children)

Yes. Yes they can.

Good companies will have measures to ensure customer privacy, all the way up to ridiculous level stuff like keeping servers inside electrically touch-sensing cages with biometrically locked entrances that can only be entered with a customer representative present.

So generally there shouldn't be a cause for concern with any respectable provider.

Then again, running a server at home isn't that bad. My dad did it, he still does it, and now I do, too. We are each others' off-site backup.

The main issue is usually whether you have access to a suitable internet connection. If you want to access your stuff out-of-home, that is.

The hardware can be almost anything. Depending on what you want to run, you usually don't have to be picky. My machine was built, and gets upgraded, using dirt-cheap parts off the used market, always a couple generations behind the latest hardware.

The only thing I buy new are the hard-drives.

[–] [email protected] 3 points 1 week ago (1 children)

I have an old laptop I tried using, though it had some keyboard issues and it's wifi is near dead, so I'd have to buy ethernet adaptors at minimum

[–] [email protected] 4 points 1 week ago (2 children)

A laptop is a great place to start.

I like using desktop components as I've been able to incrementally upgrade the ram, CPU, and drives as the years go by. A lot of people also really like using single board computers.

The only thing I'd recommend against are pre-built NASes. Theyre proprietary AF and so overpriced for what you get if you don't need the handholding of the consumer NAS software.

One thing I recommend doing, is keeping step by step notes on everything you set up, and keep a list of files and folders you'd need to keep to easily run whatever you're running on a new system.

That way, moving to a new system, changing your config, or reinstalling the OS is so much easier. A couple years down the line you'll be thanking yourself for writing down how the hell you configured that one thing years back.

Almost every problem I've had was due to me not accounting for some quirk of my config that I'd forgotten about.

And that would apply with a VPS, too, if you end up going that route.

[–] [email protected] 2 points 4 days ago (1 children)

The only thing I'd recommend against are pre-built NASes. Theyre proprietary AF and so overpriced for what you get if you don't need the handholding of the consumer NAS software.

The moment people realize a NAS is just a small factor desktop with a lot of space with good Ethernet speed, their eyes widen up the same way people realized the cloud is just someone else's computer.

[–] [email protected] 1 points 4 days ago

They are genuinely useful devices, in that they simplify the process of running what is essentially a home server, down to something the average person can pull off by just buying a box and slotting some drives into it, then use a simple UI to configure whatever basic services they like.

For just the hardware, they're absolutely robbery. You're paying for the software to hold your hand. If you don't need that, they're pretty much pointless.

[–] [email protected] 2 points 1 week ago

Might just learn nix if I get to that.

But yeah, I have no interest in prebuilt devices

[–] [email protected] 15 points 1 week ago (2 children)

If it is in the RAM, they can read it. Since it is a virtual server they can freeze and clone the current state and connect to that copy and read all data that is currently encrypted/opened without you even knowing.

[–] [email protected] 8 points 1 week ago (2 children)

Technically a lot of the newer chips used in datacenters support encrypted VMs which encrypts the RAM too, although you still have to trust that the hosting provider uses that feature.

[–] [email protected] 1 points 5 days ago

Irrelevant unless you own the key they are using for it

[–] [email protected] 0 points 1 week ago (1 children)

I'm assuming that would drive up costs, so not very many use it

[–] [email protected] 1 points 5 days ago

They will offer it as an optional service and charge you for it. So yes they use it.

[–] [email protected] -4 points 1 week ago (3 children)

While this is technically true, there is no provider on the planet that can freeze state of RAM in a way that would be useful for this.

It's technically feasible to recover data on a laptop's RAM, but not from a virtualized multi-tenant instance tied to a specific user.

[–] [email protected] 5 points 6 days ago (1 children)

there is no provider on the planet that can freeze state of RAM in a way that would be useful for this

You are very mistaken, this is a well-supported feature in most modern virtualization environments.

Here are XenServer docs for it. And here is VMWare's "high-frequency" snapshots page.

Sometimes, law enforcement authorities only need to contact cloud provider A when they have a warrant for (or, perhaps, no warrant but a mere request for) data about some user C who is indirectly using A via some cloud-hosted online service B.

A(mazon) will dutifully deliver to the authorities snapshots of all of B's VMs, and then it is up to them if they limit themselves to looking for data about C... while the staff of company B can honestly say they have not received any requests from law enforcement. (sorry my best source on this at the moment is sadly trust me bro; I've heard from an AWS employee that the above scenario really actually does happen.)

[–] [email protected] -2 points 6 days ago (1 children)

I'm not talking about snapshots. I'm talking about viewing the RAM of a running instance and having that be useful for anyone who managed to get it. And let me give you two simple reasons why it's not going to be useful:

  • Encryption extensions at the CPU
  • Hypervisor resource evictions

Unless you were to go and be on that instance at the exact moment something was happening (or shortly thereafter), that memory is going to be useless.

Now, if someone were absolutely stupid, disabled CPU security extensions at the Hypervisor, AND did something like make a RAM disk and stored something on that-which is really just going out your way to leave a trail-then yeah, maybe you'd get something.

The default of every hosting provider I'm familiar with is encryption by default on absolutely everything from the Hypervisor up except the disk, so I'm seriously doubting the claim of OP unless there is otherwise non-TMB information.

Disk snapshots are another story if unencrypted.

[–] [email protected] 3 points 6 days ago

Here's a snapshot of the memory of a running live cd of Ubuntu. I ran a script to load 0123456789abcdef over and over and it's clearly readable. Nothing special is required for this, as the Hypervisor has access to anything that the VM does. If the VM loads the encryption key for your disk into memory it will be available to the provider.

[–] [email protected] 4 points 6 days ago (1 children)

Dunno what rock you were hiding under but this is absolutely possible in a hosted environment. There's even ESXi documentation on how to do it. Taking a snapshot can be detected, but can't be prevented. These memory dumps can include encryption keys, private keys (such as SSL certificates) and other sensitive data.

Unless you can physically touch the drive with your data on it, I would not store any sensitive data on it, encrypted or not.

[–] [email protected] 1 points 6 days ago (1 children)

You don't need to freeze the state of the RAM, you freeze the whole virtual machine - including the virtual RAM.

[–] [email protected] 0 points 6 days ago (1 children)

Did you read the original comment???

[–] [email protected] 2 points 6 days ago

What do you think the “v” in “vps” stands for?

[–] [email protected] 9 points 1 week ago (2 children)

As soon as someone else has access to the hardware, assume someone else has access to the data. Depending on your threat model this might be acceptable. If you just don't want snooping, I'd say a VPS is a perfectly valid solution.

I use a dedicated server, but in this regard it is similar to a VPS, and I carefully consider what kind of data I put on it. I wouldn't put very private data on there. Simply because I see no need for it to be there.

[–] [email protected] 3 points 1 week ago

The important difference between a paid VPS subscription and a free account with s online services is how they are financed. With the latter, definitely assume you're the product, specifically your data.

Any VPS provider should have a privacy policy, and as a user you should acquaint yourself with the securities they (claim to) provide. The fact that you pay even a pittance for their service should be an incentive not to monetise or snoop your data.

But yeah, short of an encrypted online backup service, I'd never put "very private data" online at all...

[–] [email protected] 1 points 1 week ago

I don't have an explicit threat model beyond "I don't want anyone able to read my stuff". It just makes me uncomfortable and I find myself limiting what I'm able to put down. I'll trust a provider or service if I must, but generally I just prefer things to be E2E and not worry about it