this post was submitted on 17 Jul 2023
59 points (100.0% liked)

Selfhosted

39919 readers
271 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey guys,

Currently im just running calibre and nextcloud docker containers over the web, with a ddns from noip and a cloudflare domain. But i also want to setup a vaultwarden container too, so now i need to really consider the security of my server. What are the main things to watch out for? Calibre and nextcloud are just using subdomains, is it okay to have a subdomain to connect to vaultwarden? Am i better off just trusting bitwarden and sticking with them?

Thanks!

all 28 comments
sorted by: hot top controversial new old
[–] [email protected] 28 points 1 year ago (2 children)

IMO if you are asking such question - stick to Bitwarden cloud.

Passwords, at least to me, is something I don't want to lose. I don't trust myself I could provide a proper uptime & security, so I just use cloud version.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

I recently switched to cloud from vaultwarden. I was comfortable enough with the security, but when I started to actually plan disaster recovery, it was something I literally could not afford to get wrong.

So bitwarden is the one service I don't, and have no plans to, self host.

[–] [email protected] 3 points 1 year ago (1 children)

Bitwarden's official self hosting stack (not a single container) ships with nightly encrypted database dumps. And their backup page mentions just needing to backup the 'bwdata' folder which has worked great for me.

https://bitwarden.com/help/install-on-premise-linux/

[–] [email protected] 1 points 1 year ago

That's great. For me, at least, getting a server restored from backup on something like aws without access to passwords was going to require more preparation than I was willing to deal with.

Definitely worth exploring if you're prepared to handle that though.

[–] [email protected] 3 points 1 year ago

Yeah that was something i was worried about too, not like my server is an proper rig. Its just a shitty laptop with a slow ass HDD, and who knows how much life its got

[–] [email protected] 19 points 1 year ago (1 children)

Is there a reason you can't just VPN in and expose only the VPN gateway? My preferred security is not exposing a bunch of random applications to the internet and hoping each doesn't ever have any vulnerabilities.

[–] [email protected] 1 points 1 year ago (2 children)

Yeah i could definitely do that, however would that cause much trouble regarding using the nextcloud android app, or my ereader which uses OPDS to get books from calibre? I get thatd id have to sign into the VPN, but i already use mullvad on everything.

Sorry, just dont know much about personal VPNs

[–] [email protected] 3 points 1 year ago

Head scale would be a self-hosted way of doing this as well.

  • You'd install headscale publicly accessible on your VPS or port-forwarded server.
  • You'd configure your phone and any laptop you travel with using the tailscale apps with the special hidden setting to use your custom control-server.
  • Now any apps you want to access yourself but not for the public unauthenticated internet to see, you bind to tailscale/headscale interfaces rather than public interfaces.
  • Anything you DO want publicly accessible (for example immich for image sharing to friends who aren't on your tailscale network) you host the normal way by binding to a public interface.

You could also do this with regular tailscale and cut the self-hosted headscale out of the picture.

But by doing this or another private VPN setup, you take the listeners for some of your apps off the internet and reduce your attack-surface. It obviously doesn't help for WordPress or other stuff you actually want to share publicly, but it can give some peace of mind for personal services like bitwarden or Jellyfin.

[–] [email protected] 3 points 1 year ago

As long as you're connected to the VPN it probably shouldn't. I use the automate app on my phone to automatically connect to my home wireguard server whenever I'm off my wi-fi, and it works great.

You're going to run into an issue of only being able to have one VPN connected on Android at a time though if you're already running mullvad on it, but as long as you have a decent connection at home and no data cap, you could just route all of your traffic through your home network, and then split tunnel your private IPs to connect directly, and anything else through mullvad.

[–] [email protected] 11 points 1 year ago

Personally I trust Bitwarden more than myself to keep all my passwords secure AND available. They've got a good track record as far as I'm aware.

For general security hardening though...

I use Shodan to help me identify if anything is misconfigured and what is visible from the web. You can pick up an account for usually $1 for life when they run a deal, then you can just monitor your DDNS, domain, and IP address and have it email you when any new services are detected.

Cloudflare Tunnels, to remove the need for a nginx reverse proxy (with the added benefit of easy failover as well as simplifying your stack). Then I'm utilizing Cloudflare's WAF to handle filtering out known malicious, foreign IP addresses, and other malicious traffic.

Another route you can go is a Nginx/haproxy reverse proxy behind something like Suricata. Then you can utilize something like fail2ban or crowdsec.

Authentik. Get everything behind a SSO experience and don't expose your backend services to unauthenticated local traffic (utilize http basic auth with header passthrough in authentik). So many people setup auth wrong and then have something like auth.domain.com going through auth but then mistakenly have their external IP address setup to allow traffic in authenticated.

[–] [email protected] 10 points 1 year ago (1 children)

Security is a tough thing to give advice about. Different people have different levels of risk tolerance. It’s embarrassing to give advice about one’s personal views - tedious to write - and then get replies about how that’s too much security, too little security, etc.

Attackers can use tricks to enumerate dns subdomains. They can compromise one container and pivot to the container host.

You can frustrate automated compromises by putting up roadblocks or speed bumps they have to get through before seeing the stock landing or login pages for well known apps. That can buy you a little time if a serious exploit is discovered and you know you won’t be on top of container updates. But stay on your container updates.

[–] [email protected] 2 points 1 year ago (1 children)

Im assuming youd recommend using something like watchtower then? Or would you say its better to just ssh in and docker pull every now and then?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I’m a bad one to get how-to advice from if you’re starting out. Not a fan of docker and I don’t know what watchtower is. I’m one of those electricity-wasting home labbers who loves ESXi, vlans, and /30 nets for each individual VM.

I’m also one of those who takes months to accomplish what someone competent can do in days. It’s taking me forever to get openldap, postfix, dovecot, and roundcube to all play nice. (Because I’m trying to “be like daddy” and mimic the security I see at work, I can’t follow normal walkthroughs, or just install an off the shelf container and make it someone else’s problem. But this way makes me read manuals and gain a deep, durable understanding of the technology. And it takes forever.)

[–] [email protected] 3 points 1 year ago (1 children)

I wish It could be so simple for everyone... Docker is great when you have an old spare laptop and want to self host a few nice things: vaultwarden, traefik, searxng... Sure it's relatively new compared to VMs and is going to have some security flaws and reworks during the maturing process... But VMs had also their ups and downs long time ago before It got in a stable maturing state !

VM are nice but we (in my opinion) as human species need to find other solutions to get away from energy, rare metal hungry devices... something in between docker and VMs. But that's just my opinion.

Plus, docker and derivatives are also really interesting technologies where you have to read manuals and gain deep and durable knowledge to understand the future of virtualization.

[–] [email protected] 3 points 1 year ago

Totally agree. I think you’ve picked up on an attitude problem I need to fix, as that is keeping me from embracing a really useful technology. You caught me admitting to a bias that I know isn’t always true.

[–] [email protected] 7 points 1 year ago (1 children)

I just use wildcard domain that points to my local IP of my homelab. For example, *.myhomelab.com points to 192.168.1.111 (the local IP of my machine). Then, reverse proxy routes my traffic. Here are some great vids about it: by Wolfgang, by Christian Lempa, and by TechnoTim

To access my home network from outside, I use WireGuard VPN. So, I have the only one open port to the global web. I also use a random port, to dodge some bots. I use DDNS to access my VPN server, since I have a dynamic IP.

I know some people use Tailscale (it uses WireGuard under the hood) so check it out too.

Personally, I use wgeasy container to work with WireGuard, but it's so easy to be manually configured.

I'm not an expert in security or system administrating. I'm just a regular software developer, and homelabbing is my hobby. However, I have common sense of the security basics. I consider every open port as a potential vulnerability that could be exploited by hackers. So less open ports -> less security risks. Also, using VPN to access my home network adds additional layer of security. Adding 2FA for each service is also a great idea.

[–] [email protected] 3 points 1 year ago

Here is an alternative Piped link(s): https://piped.video/watch?v=qlcVx-k-02E

https://piped.video/watch?v=TBGOJA27m_0

https://piped.video/watch?v=liV3c9m_OX8

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source, check me out at GitHub.

[–] [email protected] 5 points 1 year ago

I'd say, what kind of security are you talking about? Apart from standard HTTPS to keep things encrypted, there are other layers if you want to keep your service exposed to the internet.

Also how things are installed and if they are correct, proper file permissions. nothing different than having it on the server somewhere. You just need to keep thing up to date and you'll be fine.

[–] [email protected] -2 points 1 year ago (1 children)

I always see guys swearing by Wireguard for VPN access as a security measure and seems to me like if someone unauthorized gets your public key, they have access to the kingdom.

[–] [email protected] 2 points 1 year ago (1 children)

It's your private key, but yes, you would need to keep it secret just like you would an SSH key.

The benefits of a VPN are that you don't need to open ports up to the internet and rely on your individual services to be secure. Your VPN would authenticate users and ensure that the communication over the tunnel is encrypted (useful if you don't want to set up SSL/https). They can also hide what services you are hosting or even hide the fact that you are even running a VPN.

Private keys are going to be far more secure than passwords since you really can't brute force them in the same way you can passwords. Getting ahold of someone's private key is probably going to be far more difficult than guessing their password. Even if an attacker were to get ahold of your private key, they would still need to contend with the security of your service, e.g. logging into it, which would be no worse than not having a VPN.

[–] [email protected] 1 points 1 year ago (1 children)

You don't get any network isolation with this approach vs a service running in its own dedicated virtual network. Just for this reason, I think Wireguard as a VPN access to other local services is insecure.

[–] [email protected] 3 points 1 year ago

Just because your using a VPN doesn't mean you can't isolate hosts to a separate network. I keep my services in a different VLAN and I can route/firewall traffic between that network and anywhere else as I please.