I understand that people enter the world of self hosting for various reasons. I am trying to dip my toes in this ocean to try and get away from privacy-offending centralised services such as Google, Cloudflare, AWS, etc.
As I spend more time here, I realise that it is practically impossible; especially for a newcomer, to setup any any usable self hosted web service without relying on these corporate behemoths.
I wanted to have my own little static website and alongside that run Immich, but I find that without Cloudflare, Google, and AWS, I run the risk of getting DDOSed or hacked. Also, since the physical server will be hosted at my home (to avoid AWS), there is a serious risk of infecting all devices at home as well (currently reading about VLANS to avoid this).
Am I correct in thinking that avoiding these corporations is impossible (and make peace with this situation), or are there ways to circumvent these giants and still have a good experience self hosting and using web services, even as a newcomer (all without draining my pockets too much)?
Edit: I was working on a lot of misconceptions and still have a lot of learn. Thank you all for your answers.
Getting DDOSed or hacked is very very rare for anyone self hosting. DDOS doesn’t really happen to random people hosting a few small services, and hacking is also rare because it requires that you expose something with a significant enough vulnerability that someone has a way into the application and potentially the server behind it.
But it’s good to take some basic steps like an isolated VLAN as you’ve mentioned already, but also don’t expose services unless you need to. Immich for example if it’s just you using it will work just fine without being exposed to the internet.
I’ve self hosted home assistant for a few years, external access through Cloud flare now because it’s been so stablez but previously used DuckDNS which was a bit shit if I’m honest.
I got into self hosting proper earlier this year, I wanted to make something that I could sail the 7 seas with.
I use Tailscale for everything.
The only open port on my router is for Plex because I’m a socialist and like to share my work with my friends.
Just keep it all local and use it at home. If you wanna take some of your media outside with you, download it onto your phone before you leave
Not my experience so far with my single service I’ve been running for a year. It’s making me even think of opening up even more stuff.
Yeah na, put your home services in Tailscale, and for your VPS services set up the firewall for HTTP, HTTPS and SSH only, no root login, use keys, and run fail2ban to make hacking your SSH expensive. You’re a much smaller target than you think - really it’s just bots knocking on your door and they don’t have a profit motive for a DDOS.
From your description, I’d have the website on a VPS, and Immich at home behind TailScale. Job’s a goodun.
Just changing the SSH port to non standard port would greatly reduce that risk. Disable root login and password login, use VLANs and containers whenever possible, update your services regularly and you will be mostly fine
I have servers on Digital Ocean and Linode and also one in my basement, and have had no problem. I do have all services behind NPM (not to suggest it’s a panacea) and use HTTPS/SSH for everything. (not to suggest HTTPS/SSH are either) My use case could be different than yours - my immediate family are my only consumers - but have been running the same services in those locations for a few years now without issue.
Other than the low chance of you being targeted I would say only expose your services through something like Wireguard. Other than the port being open attackers won’t know what it’s for. Wireguard doesn’t respond if you don’t immediately authenticate.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAS Network-Attached Storage NAT Network Address Translation NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency Plex Brand of media server package SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
13 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #832 for this sub, first seen 26th Jun 2024, 10:25] [FAQ] [Full list] [Contact] [Source code]
Can you (or a human) expand NPM, presumably not the Node Package Manager?
NPM
Nginx Proxy Manager, I assume
DDOS against a little self hosted instance isn’t really a concern I’d have. I’d be more concerned with the scraping of private information, ransomware, password compromises, things of that nature. If you keep your edge devices on the latest security patches and you are cognizant on what you are exposing and how, you’ll be fine.
Of course security comes with layers, and if you’re not comfortable hosting services publically, use a VPN.
However, 3 simple rules go a long way:
-
Treat any machine or service on a local network as if they were publically accesible. That will prevent you from accidentally leaving the auth off, or leaving the weak/default passwords in place.
-
Install services in a way that they are easy to patch. For example, prefer phpmyadmin from debian repo instead of just copy pasting the latest official release in the www folder. If you absolutely need the latest release, try a container maintained by a reasonable adult. (No offense to the handful of kids I’ve known providing a solid code, knowledge and bugreports for the general public!)
-
Use unattended-upgrades, or an alternative auto update mechanism on rhel based distros, if you don’t want to become a fulltime sysadmin. The increased security is absolutely worth the very occasional breakage.
-
You and your hardware are your worst enemies. There are tons of giudes on what a proper backup should look like, but don’t let that discourage you. Some backup is always better than NO backup. Even if it’s just a copy of critical files on an external usb drive. You can always go crazy later, and use snapshotting abilities of your filesystem (btrfs, zfs), build a separate backupserver, move it to a different physical location… sky really is the limit here.
-
The DDOSED hype on this site is so over played. Oh my god my little self hosted services are going to get attacked. Is it technically possible yes but it hasn’t been my experience.
DDoSing cost the attacker some time and resources so there has to something in it for them.
Random servers on the internet are subject to lots of drive-by vuln scans and brute force login attempts, but not DDoS, which are most costly to execute.
99% of people think they are more important than they are.
If you THINK you might be the victim of an attack like this, you’re not going to be a victim of an attack like this. If you KNOW you’ll be the victim of an attack like this on the other hand…
Many of us also lived through the era where any 13 year old could steal Mommy’s credit card and rent a botnet for that ezpz
My MC server a decade ago was tiny and it still happened every few months when we banned some butthurt kid
I host a handful of Internet facing sites/applications from my NAS and have had no issues. Just make sure you know how to configure your firewall correctly and you’ll be fine.
It depends on what your level of confidence and paranoia is. Things on the Internet get scanned constantly, I actually get routine reports from one of them that I noticed in the logs and hit them up via an associated website. Just take it as an expected that someone out there is going to try and see if admin/password gets into some login screen if it’s facing the web.
For the most part, so long as you keep things updated and use reputable and maintained software for your system the larger risk is going to come from someone clicking a link in the wrong email than from someone haxxoring in from the public internet.
Firewall, Auth on all services, diligent monitoring, network segmentation (vlans are fine), and don’t leave any open communications ports, and you’ll be fine.
Further steps would be intrusion detecting/banning like crowdsec for whatever apps leave world accessible. Maybe think about running a BSD host and using jails.
Freebsd here with jails, very smooth running and low maintenance. Can’t recommend it enough
Love jails. My server didn’t move with me to Central America, and I miss Free/TrueNAS jails
Dw truenas core is dead/EoL so it’s either truenas scale (Debian) or freebsd now
EoL? They’re releasing betas regularly and announced 13.3 for Q2. You mean how they’re sort of winding down with scale taking the bulk of dev cycles? Not much to change with the platform, and security fixes will be backported to CORE. I think SCALE still doesn’t fit my use-case, hut when it does, and jails go away with CORE, I’ll shed a tear and pour one out for my homie.
The devs said there will never be any newer versions after this release, maintenance only
Use a firewall like OPNsense and you’ll be fine. There’s a Crowdsec plugin to help against malicious actors, and for the most part, nothing you’re doing is worth the trouble to them.
You can. I am lucky enough to not have been hacked after about a year of this, and I use a server in the living room. There are plenty of guides online for securing a server. Use common sense, and also look up threat modeling. You can also start hosting things locally and only host to the interwebs once you learn a little more. Basically, the idea that you need cloudflare and aws to not get hacked is because of misleading marketing.
Man if your lucky enough after a year I must be super duper lucky with well over a decade.