You can mitigate some risks with software like fail2ban to slow down some of the hacking attempts, but you will still be susceptible to, sometimes unintentional, denial of service attacks from ever persistent "AI" crawler bots as well as the constant barrage of automated hacking attempts. If you're bandwidth is not able to handle it or you have bandwidth caps, you're likely going to have issues.
this post was submitted on 07 Aug 2025
17 points (94.7% liked)
Self Hosted - Self-hosting your services.
15274 readers
3 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules
- No harassment
- crossposts from c/Open Source & c/docker & related may be allowed, depending on context
- Video Promoting is allowed if is within the topic.
- No spamming.
- Stay friendly.
- Follow the lemmy.ml instance rules.
- Tag your post. (Read under)
Important
- Lemmy doesn't have tags yet, so mark it with [Question], [Help], [Project], [Other], [Promoting] or other you may think is appropriate. This is strongly encouraged!
Cross-posting
- !everything_git@lemmy.ml is allowed!
- !docker@lemmy.ml is allowed!
- !portainer@lemmy.ml is allowed!
- !fediverse@lemmy.ml is allowed if topic has to do with selfhosting.
- !selfhosted@lemmy.ml is allowed!
If you see a rule-breaker please DM the mods!
founded 4 years ago
MODERATORS
I used to do this myself, just with OpenVPN instead of Wire guard, worked fine, then I found overlay networks like Tailscale and it changed my life.
Just use an overlay network. Tailscale or Netbird are my personal recommendations, Netbird if you want 100% open source right out of the box, Tailscale if you don't mind their default coordination server being closed source, (you can run the open source Headscale server if you want)
Overlay networks make all this sooooo much easier. Encrypted secure access to any and all of your internal network devices, with fine tuned access control depending on how you want it set up.
I will never portforward or manually set up a VPN tunnel again, overlay networks perfectly fit my use case and they are so much easier to get working.
You can. I recommend making sure you have logging in place so you know what's going on. This could include not just service logs but firewall logs as well. You might want to rate limit the connection attempts for SSH and WireGuard and consider Fail2Ban or something similar.
Fail2ban is useless for a wireguard endpoint. Wireguard never sends a response unless there’s a valid signed handshake request. It’s basically a blackhole.
SSH is almost always a terrible idea to open on the internet. It's just not worth the risk for the slight convenience. Web, VPN, etc.... go for it. Just make sure you take appropriate precautions, fail2ban, geoip blocks and keep your exposed software patched. Use something like hostedscan to make sure you don't have any known vulnerabilities exposed to the internet or obvious misconfigurations.
I additionally use crowdsec on my webserver it functions as a slightly more intelligent fail2ban. It rarely triggers but it's a nice additional layer. My fail2ban triggers several times a day. I've got it following my default virtual host and banning anyone that hits it (if you don't at a minimum know my external hostnames then you have no business accessing my ports).
Can someone clarify this for me: is the below true?
Even if a port is exposed on a regular residential network (no public IP address), due to NAT, nothing will be able to reach that port unless the application running on that port is trying to reach outside at the same time (for the purpose of NAT traversal)?
If a port is forwarded in NAT and an application is listening, outside traffic can reach it directly without the application needing to initiate a connection first.
The application doesn't have to actively reach outside, just to listen at that port. If there is no application listening an open port does nothing. Though a port can really only be called open if an application is listening.
I don't think that applies if you're NATted? Since you don't even have a port at the outer layer unless you reach out first.
That's the point of port forwarding. Yes, normally applications aren't reachable and have to reach out first. That's how your browser can receive answers. With port forwarding you instruct your router to always forward incoming traffic for a specific port to a specific computer in your LAN.
Aah so "opening a port" refers to port forwarding? I'd assumed it only meant allowing traffic through with firewall config.
In this case it probably means both. Plus the application listening on the other end. In its purest sense opening a port means having an application listen on that port.
This post considers the situation where you expose your ports to the internet, on the edge of your residential network, for example by setting your router to forward requests with port 443 to a certain host in your network. In this case you do have a public ip address and the configured port on your home server is now reachable from the internet. This is different from just exposing a port on a machine inside a residential network for local use.
Your ISP would need to support/allow this in the first place, right?
Can I expose webserver, SSH, WireGuard to the internet with reasonable safety?
Yes, yes, and yes. Though in all three cases, you would want to have some sort of filtering and IPS in place, like fail2ban or similar, at an absolute minimum. There are port scanners of all kinds scanning for vulnerable software that can be exploited. Some people suggest changing the port numbers away from the default, and while security through obscurity can be a valid tactic, it alone is not a layer of your security onion.
A reverse proxy plus tunnel is a reasonable default recommendation because it is easy and prevents a large class of low-effort attacks and exploits, but tunneling has its drawbacks such as adding a component that exists outside of your direct control. It is also not a panacea. Reverse proxying on its own ISP is also workable, as it means just one point of entry to reinforce with logging and blocking.
But I feel like if I cant open a port to the internet to host a webserver then the internet is no longer a free place and we're cooked.
The Internet is still (for now) a free place, but just like with free speech, effort must be expended to keep it free. The threats have increased and while other simpler options have arisen to fill demand for self hosting, this endeavor is about investing sufficient time and effort to keep it going.
In my estimation, it is no different then tending to a garden in the face of rising environmental calamities. You can and should do it, so long as you're fully informed about the effort required.
The Internet is a free place, in the sense that it's very, very public.
Expose the VPN and nothing else, if you can. There are always automated attacks scanning literally the entire Internet.
So, hate to break this to you but it's been almost 20 years since you shouldn't just open ports directly to your computer from your home router AND it's been about that long since ISPs just don't allow traffic to customers on standard ports like 80, 443, 21, 22, etc.
The way to do this is actually to have multiple computers, with the first computer acting as your firewall, IDS, and IPS. That computer should run no other services and should be heavily locked down after it's setup, as in most things should be made read-only except the few variable files that are required for operations.
That computer should then route traffic to computers behind it that provide services like https, ssh, etc. This setup makes everything much safer.
But you'll still have to contend with your ISP and they don't usually budge, so you'll have to run services on non-standard ports.
ISPs just don’t allow traffic to customers on standard ports like 80, 443, 21, 22, etc.
YMMV