I hear you can get a pretty good offer from CrowdStrike these days.
Anything exposed to the internet will be found by the scanners. Moving ssh off of port 22 doesn’t do anything except make it less convenient for you to use. The scanners will find it, and when they do, they will try to log in.
(It’s actually pretty easy to write a little script to listen on port 20 (telnet) and collect the default login creds that the worms so kindly share)
The thing that protects you is strong authentication. Turn off password auth entirely, and generate a long keypair. Disable root login entirely.
Most self-hosted software is built by hobbyists with some goal, and rock solid authentication is generally not that goal. You should, if you can, put most things behind some reverse-proxy with a strong auth layer, like Teleport.
You will get lots of advice to hide things behind a vpn. A vpn provides centralized strong authentication. It’s a good idea, but decreases accessibility (which is part of security) - so there’s a value judgement here between the strength of a vpn and your accessibility goals.
Some of my services (ssh, wg, nginx) are open to the internet. Some are behind a reverse proxy. Some require a vpn connection, even within my own house. It depends on who it’s for - just me, technical friends, the world, or my technically-challenged parents trying to type something with a roku remote.
After strong auth, you want to think about software vulnerabilities - and you don’t have to think much, because there’s only one answer: keep your stuff up to date.
All of the above covers the P in PICERL (pick-uh-rel) for Prepare. I stands for Identify, and this is tricky. In an ideal world, you get a real-time notification (on your phone if possible) when any of these things happen:
- Any successful ssh login
- Any successful root login
- If a port starts listening that you didn’t expect
- If the system watching for these things goes down (have two systems that watch each other)
That list could be much longer, but that’s a good start.
After Identification, there’s Contain + Eradicate. In a homelab context, that’s probably a fresh re-install of the OS. Attacker persistence mechanisms are insane - once they’re in, they’re in. Reformat the disk.
R is for recover or remediate depending on who you ask. If you reformatted your disks, it stands for “rebuild”. Combine this with L (lessons learned) to rebuild differently than before.
To close out this essay though, I want to reiterate Strong Auth. If you’ve got strong auth and keep things up to date, a breach should never happen. A lot of people work very hard every day to keep the strong auth strong ;)
This is an excellent comment, thanks for writing this up
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters | More Letters |
---|---|
CGNAT | Carrier-Grade NAT |
DNS | Domain Name Service/System |
HTTP | Hypertext Transfer Protocol, the Web |
IP | Internet Protocol |
LXC | Linux Containers |
NAS | Network-Attached Storage |
NAT | Network Address Translation |
SSH | Secure Shell for remote terminal access |
VPN | Virtual Private Network |
VPS | Virtual Private Server (opposed to shared hosting) |
nginx | Popular HTTP server |
[Thread #884 for this sub, first seen 24th Jul 2024, 19:35] [FAQ] [Full list] [Contact] [Source code]
You can use cloudflare tunnels which skips having to open ports and can also proxy the connection so people can't find your home IP address depending on what services you're setting up
Obligatory Cloudflare notice
What's the notice?
People don't like centralizing the Internet in a single service. There's nothing wrong with the product. It works great and is much more secure than opening ports in your home network. This community is just more biased toward decentralization and privacy, which is a common reason for people to start self hosting.
I think wireguard can allow you to set up a similar external connection with some extra steps. This would remove Cloudflare from the loop.
Oh got it, I use wire guard as a VPN for services that only I need but for things I share with multiple people I use cloudflare tunnel after learning about it from youtube tutorials
So, no-one's mentioned tailscale. If it's just for you, or some select friends, it's probably the least friction to get secure access to your home network. Still, gotta check your threat matrix, do you really need it, is it really worth it for that occasional, maybe hypothetical usage ? Least access is best security...
Do you need to serve an actual public like a website does? If not then you shouldn't be exposing any fucking services except for wireguard for you and your handful of users.
I've never set up a VPN. I've connected to them for work, sure, and I've dealt with port forwarding for games back in the day. Is it much trickier? Their site makes it sound pretty easy.
Isolate it all and keep on top of security advisories and updates
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!