Self Hosted - Self-hosting your services.

15257 readers

27 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

No harassment
crossposts from c/Open Source & c/docker & related may be allowed, depending on context
Video Promoting is allowed if is within the topic.
No spamming.
Stay friendly.
Follow the lemmy.ml instance rules.
Tag your post. (Read under)

Important

Lemmy doesn't have tags yet, so mark it with [Question], [Help], [Project], [Other], [Promoting] or other you may think is appropriate. This is strongly encouraged!

Cross-posting

!everything_git@lemmy.ml is allowed!
!docker@lemmy.ml is allowed!
!portainer@lemmy.ml is allowed!
!fediverse@lemmy.ml is allowed if topic has to do with selfhosting.
!selfhosted@lemmy.ml is allowed!

If you see a rule-breaker please DM the mods!

founded 4 years ago

MODERATORS

Zoe8338@lemmy.ml

dogmuffins@lemmy.ml

testman@lemmy.ml

[Question] Why should I not open ports to the internet on my home router? (lemmy.world)

submitted 1 day ago by Auth@lemmy.world to c/selfhost@lemmy.ml

20 comments fedilink hide all child comments

I'm in the process of setting up homelab stuff and i've been doing some reading. It seems the consensus is to put everything behind a reverse proxy and use a vpn or cloudflare tunnel.

I plan to use a VPN for accessing my internal network from outside and to protect less battle tested foss software. But I feel like if I cant open a port to the internet to host a webserver then the internet is no longer a free place and we're cooked.

So my question is, Can I expose webserver, SSH, WireGuard to the internet with reasonable safety? What precautions and common mistakes do I need to watchout for.

you are viewing a single comment's thread
view the rest of the comments

[–] dethmetaljeff@lemmy.ml 2 points 1 day ago* (last edited 1 day ago)

SSH is almost always a terrible idea to open on the internet. It's just not worth the risk for the slight convenience. Web, VPN, etc.... go for it. Just make sure you take appropriate precautions, fail2ban, geoip blocks and keep your exposed software patched. Use something like hostedscan to make sure you don't have any known vulnerabilities exposed to the internet or obvious misconfigurations.

I additionally use crowdsec on my webserver it functions as a slightly more intelligent fail2ban. It rarely triggers but it's a nice additional layer. My fail2ban triggers several times a day. I've got it following my default virtual host and banning anyone that hits it (if you don't at a minimum know my external hostnames then you have no business accessing my ports).