this post was submitted on 14 Jun 2023
12 points (87.5% liked)

Selfhosted

40133 readers
1006 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
12
How to secure private lemmy instance installed using ansible method? (hive.atlanten.se)
submitted 1 year ago by [email protected] to c/[email protected]
7 comments fedilink hide all child comments
 

I just spun up a private instance of lemmy on the cheapest Linode. So far so good.

I used the ansible method of installing the instance on the default Debian 11 image from Linode (link below).

I feel a bit worried that there are no firewall instructions in the install documents. And no notes on securing your instance.

Any thoughts on how to set up ufw for a lemmy instance? Or thoughts on other security tips?

https://github.com/LemmyNet/lemmy-ansible

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 1 year ago (1 children)

To piggyback on other comments, a firewall only stops access to services you don't want people to access.

Presumably you WANT people to access your Lemmy install, so a firewall doesn't really offer any added protection.

If there's an exploit in Lemmy, you might get bit, sure. It's always a case of maintaining good backups, having a response plan in place and taking mitigation steps - patch the underlying OS, subscribe to release and security notifications so you know when an update or issue is found, and have a plan to either rapidly patch or disable services until you can patch them.

If you want to dive into more depth, there's an awful lot of tooling from fail2ban to Crowdsec's offerings to a whole slew of SIEM options you could implement to monitor traffic to your host to identify and take action on suspicious and/or outright malicious traffic, but that's going to have to be a case of you deciding how much risk is okay and how much time you want to invest in mitigating.

It's one of those 10% of the time can solve 90% of problems thing, so if it's just a case of 'well if something happens I'd be annoyed' it's maybe not worth investing a huge amount of time beyond updates and basic monitoring.

[–] [email protected] 3 points 1 year ago

Great perspective. Thanks. I am running a different production web server with fail2ban, knock and other mitigation strategies in place. In the case of lemmy Linode does automatic backups. I’ll have a think about how much work I want to put into this. A hack or crash would mostly be an annoyance.