Selfhosted

42055 readers

592 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

120

How do you all handle security and monitoring for your publicly accessible services? (lemmy.world)

submitted 2 days ago* (last edited 2 days ago) by a_fancy_kiwi@lemmy.world to c/selfhosted@lemmy.world

68 comments fedilink hide all child comments

This is a continuation of my other post

I now have homeassistant, immich, and authentik docker containers exposed to the open internet. Homeassistant has built in 2FA and authentik is being used as the authentication for immich which supports 2FA. I went ahead and blocked connections from every country except for my own via cloudlfare (I'm aware this does almost nothing but I feel better about it).

At the moment, if my machine became compromised, I wouldn't know. How do I monitor these docker containers? What's a good way to block IPs based on failed login attempts? Is there a tool that could alert me if my machine was compromised? Any recommendations?

EDIT: Oh, and if you have any recommendations for settings I should change in the cloudflare dashboard, that would be great too; there's a ton of options in there and a lot of them are defaulted to "off"

(page 2) 19 comments

sorted by: hot top controversial new old

[–] chirping@infosec.pub 2 points 2 days ago (1 children)

Some of these you're already doing, but writing a complete* list. *almost garuanteed not to be complete, suggestions welcome

Have everything behind the same reverse proxy, so that you have only one endpoint to worry about. Run it through ssllabs or similar to check your config.
On your reverse proxy, add one or more layers of authentication if possible. Many possibilities here: If one app supports client certificates, while another has limited capabilities, you could probably tie together something where IPs are whitelisted to the ither services based on that certificate auth.
Geoblock all countries you won't be accessing from
crowdsec is pretty nice, this detects/blocks threats. kinda like fail2ban but on steroids.
if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of "if it's compromised, they're not in your house".

lastly consider if these things need to be publically avilable at all. I'm happy with 95% of my services only being available through Tailscale (mesh VPN, paid service with good enough free tier, open source+free alternatives available), and I've got tailscale on all my devices

load more comments (1 replies)

[–] just_another_person@lemmy.world 1 points 2 days ago (5 children)

Why? Not every service is meant to be exposed to the open internet. Immich is the only one of what you listed that makes sense to have out in the open.

[–] a_fancy_kiwi@lemmy.world 3 points 2 days ago (1 children)

I've been playing around with the voice assistant stuff in homeassistant and it seemingly needs a public url to get all the features. I could be wrong about that though?

I put authentik in front of immich to handle authentication so that I would need need a 2FA code

[–] just_another_person@lemmy.world 3 points 2 days ago (1 children)

Most definitely does not need a public URL for Assist in HA. Not sure where you read that.

It sounds like you need a VPN to your internal services if you're concerned about security.

[–] a_fancy_kiwi@lemmy.world 2 points 2 days ago (1 children)

Most definitely does not need a public URL for Assist in HA. Not sure where you read that.

You're probably right. At one point, I had a subscription to homeassistant cloud a few years back to use a google nest speaker at the time. I was just going off that I guess. I'll do some testing and will probably put it back behind tailscale. thanks for the heads up

It sounds like you need a VPN to your internal services if you’re concerned about security.

I'm more so concerned that I set something up incorrectly and would like to be made aware of it in the event someone else noticed

[–] just_another_person@lemmy.world 1 points 2 days ago

That's very specific to individual services

load more comments (4 replies)

load more comments