12
How to secure private lemmy instance installed using ansible method? (hive.atlanten.se)
submitted 1 year ago by [email protected] to c/[email protected]
7 comments fedilink hide all child comments

I just spun up a private instance of lemmy on the cheapest Linode. So far so good.

I used the ansible method of installing the instance on the default Debian 11 image from Linode (link below).

I feel a bit worried that there are no firewall instructions in the install documents. And no notes on securing your instance.

Any thoughts on how to set up ufw for a lemmy instance? Or thoughts on other security tips?

https://github.com/LemmyNet/lemmy-ansible

top 7 comments
sorted by: hot top controversial new old
[-] [email protected] 6 points 1 year ago

A firewall won't help you much beyond making sure no unwanted ports are open. The ansible install of Lemmy makes sure to only expose the ports 80 and 443 to the outside, which is fine for running a webserver. Additionally, Lemmy sets up a containerised environment for itself, so even if Lemmy is compromised, there is an additional hurdle to overcome if somebody wanted to compromise the underlying server itself.

As a more general security tip, I'd recommend you set up SSH with key based authentication and disable password authentication after you did that. Passwords can be brute forced, completely compromising your server if found.

[-] [email protected] 5 points 1 year ago

Also consider changing the port for SSH to some random port >1024 and maybe install fail2ban for good measure.

[-] [email protected] 1 points 1 year ago

Thanks! Good insight. For sure password-ssh is disabled and strong crypto used. I think this I’m at “good enough” for what I’m protecting atm.

[-] [email protected] 5 points 1 year ago

To piggyback on other comments, a firewall only stops access to services you don't want people to access.

Presumably you WANT people to access your Lemmy install, so a firewall doesn't really offer any added protection.

If there's an exploit in Lemmy, you might get bit, sure. It's always a case of maintaining good backups, having a response plan in place and taking mitigation steps - patch the underlying OS, subscribe to release and security notifications so you know when an update or issue is found, and have a plan to either rapidly patch or disable services until you can patch them.

If you want to dive into more depth, there's an awful lot of tooling from fail2ban to Crowdsec's offerings to a whole slew of SIEM options you could implement to monitor traffic to your host to identify and take action on suspicious and/or outright malicious traffic, but that's going to have to be a case of you deciding how much risk is okay and how much time you want to invest in mitigating.

It's one of those 10% of the time can solve 90% of problems thing, so if it's just a case of 'well if something happens I'd be annoyed' it's maybe not worth investing a huge amount of time beyond updates and basic monitoring.

[-] [email protected] 3 points 1 year ago

Great perspective. Thanks. I am running a different production web server with fail2ban, knock and other mitigation strategies in place. In the case of lemmy Linode does automatic backups. I’ll have a think about how much work I want to put into this. A hack or crash would mostly be an annoyance.

[-] [email protected] 2 points 1 year ago

So a good exercise for threat modeling is to think through what would happen if your instance is compromised. Are there shared passwords on the machine? Other services? Private user data? Etc. Most likely your answer is there is nothing particularly sensitive on your Lemmy machine. If the instance is compromised they just have access to your compute resources at which point they might try to mine crypto with it or something.

So with that in mind, I might check on your billing model to make sure there isnt any sort of scaling cost they might be able to run up if that happened. Perhaps put some resource usage alarms in place. Im honestly not familiar with Linode, but have a lot of experience with AWS and GCP from my job.

I also recently found a nice general guide to securing a Linux server on GitHub you might find useful or interesting.

[-] [email protected] 1 points 1 year ago

Great insights! Yeah, you're right. There is nothing they can get from the machine that really compromises anything important. It is indeed the compute resources that are what needs to be kept an eye on.

It's a really good idea to put usage restrictions in place. There are already alerts in place, but I have scaled the triggers way down, as lemmy really doesn't use a lot of resources ATM. Will look into restrictions also.

this post was submitted on 14 Jun 2023
12 points (87.5% liked)

Selfhosted

39251 readers
378 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]