Selfhosted

45411 readers

522 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

108

What steps do you take to secure your server and your selfhosted services? (lemmy.selfhostcat.com)

submitted 1 day ago* (last edited 1 day ago) by [email protected] to c/[email protected]

49 comments fedilink hide all child comments

Inspired by this comment to try to learn what I'm missing.

Cloudflare proxy
Reverse Proxy
Fail2ban
Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 5 points 1 day ago (2 children)

My new strategy is to block EVERY port except WireGuard. This doesn't work for things you want to host publicly ofc, like a website, but for most self host stuff I don't see anything better than that.

[–] [email protected] 2 points 1 day ago (1 children)

My new strategy is to block EVERY port

Wow! All 65535 +/-, in and out? That's one way to skin a cat.

[–] [email protected] 3 points 1 day ago (1 children)

ez pz:

#!/usr/sbin/nft -f
table inet filter {
    chain input {
        type filter hook input priority raw; policy accept;
        iif "lo" accept
        ct state established,related accept
        iif "enp1s0" udp dport 51820 accept
        iif "enp1s0" drop
    }

    chain forward {
        type filter hook forward priority raw; policy accept;
        iif "lo" accept
        ct state established,related accept
        iif "enp1s0" udp dport 51820 accept
        iif "enp1s0" drop
    }

    chain output {
        type filter hook output priority raw; policy accept;
    }
}

[–] [email protected] 1 points 1 day ago* (last edited 1 day ago)

I've seen it done as such:

sudo ufw deny out 1:19/tcp sudo ufw deny out 1:19/udp sudo ufw deny out 22:52/tcp sudo ufw deny out 22:52/udp sudo ufw deny out 54:79/tcp sudo ufw deny out 54:79/udp sudo ufw deny out 81:122/tcp sudo ufw deny out 81:122/udp sudo ufw deny out 124:442/tcp sudo ufw deny out 124:442/udp sudo ufw deny out 444:65535/tcp sudo ufw deny out 444:65535/udp

But your way seems a bit more elegant

[–] [email protected] 2 points 1 day ago

I do this too. Took me a little effort to set things up, but now its so easy.