this post was submitted on 02 Apr 2025
122 points (98.4% liked)

Selfhosted

46293 readers
44 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
122
What steps do you take to secure your server and your selfhosted services? (lemmy.selfhostcat.com)
submitted 3 weeks ago* (last edited 3 weeks ago) by [email protected] to c/[email protected]
58 comments fedilink hide all child comments
 

Inspired by this comment to try to learn what I'm missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 3 weeks ago (2 children)

My new strategy is to block EVERY port except WireGuard. This doesn't work for things you want to host publicly ofc, like a website, but for most self host stuff I don't see anything better than that.

[–] [email protected] 2 points 3 weeks ago (1 children)

My new strategy is to block EVERY port

Wow! All 65535 +/-, in and out? That's one way to skin a cat.

[–] [email protected] 3 points 3 weeks ago (1 children)

ez pz:

#!/usr/sbin/nft -f
table inet filter {
    chain input {
        type filter hook input priority raw; policy accept;
        iif "lo" accept
        ct state established,related accept
        iif "enp1s0" udp dport 51820 accept
        iif "enp1s0" drop
    }

    chain forward {
        type filter hook forward priority raw; policy accept;
        iif "lo" accept
        ct state established,related accept
        iif "enp1s0" udp dport 51820 accept
        iif "enp1s0" drop
    }

    chain output {
        type filter hook output priority raw; policy accept;
    }
}
[–] [email protected] 1 points 3 weeks ago* (last edited 3 weeks ago)

I've seen it done as such:

sudo ufw deny out 1:19/tcp sudo ufw deny out 1:19/udp sudo ufw deny out 22:52/tcp sudo ufw deny out 22:52/udp sudo ufw deny out 54:79/tcp sudo ufw deny out 54:79/udp sudo ufw deny out 81:122/tcp sudo ufw deny out 81:122/udp sudo ufw deny out 124:442/tcp sudo ufw deny out 124:442/udp sudo ufw deny out 444:65535/tcp sudo ufw deny out 444:65535/udp

But your way seems a bit more elegant

[–] [email protected] 2 points 3 weeks ago

I do this too. Took me a little effort to set things up, but now its so easy.