this post was submitted on 26 Jun 2024
93 points (87.8% liked)

Selfhosted

39980 readers
245 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I understand that people enter the world of self hosting for various reasons. I am trying to dip my toes in this ocean to try and get away from privacy-offending centralised services such as Google, Cloudflare, AWS, etc.

As I spend more time here, I realise that it is practically impossible; especially for a newcomer, to setup any any usable self hosted web service without relying on these corporate behemoths.

I wanted to have my own little static website and alongside that run Immich, but I find that without Cloudflare, Google, and AWS, I run the risk of getting DDOSed or hacked. Also, since the physical server will be hosted at my home (to avoid AWS), there is a serious risk of infecting all devices at home as well (currently reading about VLANS to avoid this).

Am I correct in thinking that avoiding these corporations is impossible (and make peace with this situation), or are there ways to circumvent these giants and still have a good experience self hosting and using web services, even as a newcomer (all without draining my pockets too much)?

Edit: I was working on a lot of misconceptions and still have a lot of learn. Thank you all for your answers.

(page 2) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 4 months ago

Of course security comes with layers, and if you're not comfortable hosting services publically, use a VPN.

However, 3 simple rules go a long way:

  1. Treat any machine or service on a local network as if they were publically accesible. That will prevent you from accidentally leaving the auth off, or leaving the weak/default passwords in place.

  2. Install services in a way that they are easy to patch. For example, prefer phpmyadmin from debian repo instead of just copy pasting the latest official release in the www folder. If you absolutely need the latest release, try a container maintained by a reasonable adult. (No offense to the handful of kids I've known providing a solid code, knowledge and bugreports for the general public!)

  3. Use unattended-upgrades, or an alternative auto update mechanism on rhel based distros, if you don't want to become a fulltime sysadmin. The increased security is absolutely worth the very occasional breakage.

  4. You and your hardware are your worst enemies. There are tons of giudes on what a proper backup should look like, but don't let that discourage you. Some backup is always better than NO backup. Even if it's just a copy of critical files on an external usb drive. You can always go crazy later, and use snapshotting abilities of your filesystem (btrfs, zfs), build a separate backupserver, move it to a different physical location... sky really is the limit here.

[–] [email protected] 3 points 4 months ago (1 children)

If your SSH is using key authentication and you don't have anything silly as an attack vector, you should be grand.

[–] [email protected] 2 points 4 months ago

People who ho get compromised are the ones who expose a password authentication service with a short memorable password

[–] [email protected] 3 points 4 months ago

If you do it right you shouldn't get hacked. Even if you do you can keep good immutable backups so you can restore. Also make sure you monitor everything for bad behavior or red flags.

[–] [email protected] 2 points 4 months ago

I've been self hosting for 2 or 3 years and haven't been hacked, though I fully expect it to happen eventually(especially if I start posting my blog in places). I'd suggest self hosting a VPN to get into your home network and not making your apps accessible via the internet unless 100% necessary. I also use docker containers to minimize the apps access to my full system. Best of luck!

[–] [email protected] 2 points 4 months ago

It depends on what your level of confidence and paranoia is. Things on the Internet get scanned constantly, I actually get routine reports from one of them that I noticed in the logs and hit them up via an associated website. Just take it as an expected that someone out there is going to try and see if admin/password gets into some login screen if it's facing the web.

For the most part, so long as you keep things updated and use reputable and maintained software for your system the larger risk is going to come from someone clicking a link in the wrong email than from someone haxxoring in from the public internet.

[–] [email protected] 2 points 4 months ago

Not my experience so far with my single service I've been running for a year. It's making me even think of opening up even more stuff.

[–] [email protected] 1 points 4 months ago (1 children)

Yeah na, put your home services in Tailscale, and for your VPS services set up the firewall for HTTP, HTTPS and SSH only, no root login, use keys, and run fail2ban to make hacking your SSH expensive. You're a much smaller target than you think - really it's just bots knocking on your door and they don't have a profit motive for a DDOS.

From your description, I'd have the website on a VPS, and Immich at home behind TailScale. Job's a goodun.

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

Just changing the SSH port to non standard port would greatly reduce that risk. Disable root login and password login, use VLANs and containers whenever possible, update your services regularly and you will be mostly fine

[–] [email protected] 1 points 4 months ago* (last edited 3 months ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
NAS Network-Attached Storage
NAT Network Address Translation
NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency
Plex Brand of media server package
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

13 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #832 for this sub, first seen 26th Jun 2024, 10:25] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 0 points 4 months ago (1 children)

Can you (or a human) expand NPM, presumably not the Node Package Manager?

load more comments (1 replies)
load more comments
view more: ‹ prev next ›