• 0 Posts
  • 5 Comments
Joined 8 months ago
cake
Cake day: April 5th, 2024

help-circle



  • One aspect is how interesting you are as a target. What would a possible attacker gain by getting access to your services or hosts?

    The danger to get hacked is there but you are not Microsoft, amazon or PayPal. Expect login attempts and port scans from actors who map out the internets. But I doubt someone would spend much effort to break into your hosts if you do not make it easy (like scripted automatic exploits and known passwords login attempts easy) .

    DDOS protection isn’t something a tiny self hosted instance would need (at least in my experience).

    Firewall your hosts, maybe use a reverse proxy and only expose the necessary services. Use secure passwords (different for each service), add fail2ban or the like if you’re paranoid. Maybe look into MFA. Use a DMZ (yes, VLANs could be involved here). Keep your software updated so that exploits don’t work. Have backups if something breaks or gets broken.

    In my experience the biggest danger to my services is my laziness. It takes steady low level effort to keep the instances updated and running. (Yes there are automated update mechanisms - unattended upgrades i.e. -, but also downwards compatibility breaking changes in the software which will require manual interactions by me.)


  • I assume you want to access a self hosted service on your local server from the Internet.

    To make the service accessible from the Internet multiple things are required:

    • the router can be accessed from the outside. Find your public IP in the router or use a find-my-ip website. Better: do both. This is the address you can use to access your router (or whatever service you choose to expose through it). Side note: If the Ip-adresses of your router and the one of the find- my- ip- site are different it could mean that your provider uses CG-NAT (because ipv4- addresses are scarce, the provider doesn’t give you a real publicly accessible address). This means you can’t access your router from the Internet. Try IPv6 or contact your provider to get a publicly accessible ipv4- address.
    • because the above mentioned IP- address of your router might change, dyndns is used. Configure it in your router and test it. Test if the DNS- name you have set up resolves to your ip- address (nslookup or ping it).
    • to make your service available to the Internet you need to configure port forwarding in your router (or add your server as exposed host - means all ports are forwarded to the Internet). This means the router passes request to itself on to your internal server. Careful: everybody can access whatever services you expose. Advice: it’s a good idea to use a VPN. Setup a VPN-server in your Lan and only port-forward its port in the router. Connect to the VPN from the outside - Afterwards use the internal services through the vpn- connection.
    • scripts and the internal ip: the dyndns name needs to be used instead of the IP. Find a way to make the scripts use that name to resolve it to your external IP.