Hey guys,

after reading up on selfhosting for weeks now I finally decided to take the plunge today and tried setting up my own nextcloud & jellyfin instances. For this purpose I am using a mini PC. (similiar to an Intel NUC)

Now I would like to make both services available to the internet so I could show images to friends while I’m at their place / watch movies with them.

The problem is I am currently not very educated on which security measures I would have to take to ensure that my server / mini PC doesn’t immediately become an easy target for a hacker, especially considering that I would host private photos on the nextcloud.

After googling around I feel like I find a lot of conflicting information as well as write-ups that I don’t fully grasp with my limited knowledge so if you guys have any general advice or even places to learn about all these concepts I would be absolutely delighted!

Thank you guys sooo much in advance for any and all help, the c/selfhosted community has been nothing but a great resource for me so far!!!

  • nbailey@lemmy.ca
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Best advice I can give is to make sure the default virtualhost on nginx/apache just sends a 404 to all requests to your IP, and only serve the apps you want when they’re accessed by the correct hostname. The vast majority of spammy scanners are just hitting all public IPs, so as long as you don’t tell them what you’re hosting you’ll be alright.

    Then, I’d advise having some sort of basic web application firewall (WAF). Modsecurity is a common one, NAXSI is another. These take some time to set up, but are quite good at absorbing attempted attacks.

    • vegetaaaaaaa@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I serve HTTP 403 for all requests to the default vhost and log them, harvest IPs through a log aggregator (or just fail2ban) and tag them as bad bots/scanners, and eternal-ban them on all my hosts. Currently have 98451 addresses or networks in my ipset for these.

      For requests to actual domains, I ban after a few unsuccessful authentication attempts. A WAF is nice to have (tedious but fun to set up) - currently working on improving my Modsecurity setup.

      Other than that there is already good advice here:

      • keep OS/packages/installed services up-to-date
      • only run software from trusted (ideally signed) sources
      • use host and network-based firewalls
      • use strong encryption and authentication everywhere
      • only expose what is absolutely required
      • implement good privilege separation (even dedicated users for each app/service, proper file ownership/permissions goes a long way)
      • run scanners to detect possible misconfigurations/hardening measures (systemd-analyze security was mentioned, I also like lynis and debsecan)
      • set up proper logging/monitoring alerting