Self Hosted - Self-hosting your services.

15378 readers

15 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

No harassment
crossposts from c/Open Source & c/docker & related may be allowed, depending on context
Video Promoting is allowed if is within the topic.
No spamming.
Stay friendly.
Follow the lemmy.ml instance rules.
Tag your post. (Read under)

Important

Lemmy doesn't have tags yet, so mark it with [Question], [Help], [Project], [Other], [Promoting] or other you may think is appropriate. This is strongly encouraged!

Cross-posting

!everything_git@lemmy.ml is allowed!
!docker@lemmy.ml is allowed!
!portainer@lemmy.ml is allowed!
!fediverse@lemmy.ml is allowed if topic has to do with selfhosting.
!selfhosted@lemmy.ml is allowed!

If you see a rule-breaker please DM the mods!

founded 4 years ago

MODERATORS

Zoe8338@lemmy.ml

dogmuffins@lemmy.ml

testman@lemmy.ml

[Question] Why should I not open ports to the internet on my home router? (lemmy.world)

submitted 1 week ago by Auth@lemmy.world to c/selfhost@lemmy.ml

25 comments fedilink hide all child comments

I'm in the process of setting up homelab stuff and i've been doing some reading. It seems the consensus is to put everything behind a reverse proxy and use a vpn or cloudflare tunnel.

I plan to use a VPN for accessing my internal network from outside and to protect less battle tested foss software. But I feel like if I cant open a port to the internet to host a webserver then the internet is no longer a free place and we're cooked.

So my question is, Can I expose webserver, SSH, WireGuard to the internet with reasonable safety? What precautions and common mistakes do I need to watchout for.

you are viewing a single comment's thread
view the rest of the comments

[–] litchralee@sh.itjust.works 3 points 1 week ago* (last edited 1 week ago) (1 children)

Can I expose webserver, SSH, WireGuard to the internet with reasonable safety?

Yes, yes, and yes. Though in all three cases, you would want to have some sort of filtering and IPS in place, like fail2ban or similar, at an absolute minimum. There are port scanners of all kinds scanning for vulnerable software that can be exploited. Some people suggest changing the port numbers away from the default, and while security through obscurity can be a valid tactic, it alone is not a layer of your security onion.

A reverse proxy plus tunnel is a reasonable default recommendation because it is easy and prevents a large class of low-effort attacks and exploits, but tunneling has its drawbacks such as adding a component that exists outside of your direct control. It is also not a panacea. Reverse proxying alone is also workable, as it means just one point of entry to reinforce with logging and blocking.

But I feel like if I cant open a port to the internet to host a webserver then the internet is no longer a free place and we're cooked.

The Internet is still (for now) a free place, but just like with free speech, effort must be expended to keep it free. The threats have increased and while other simpler options have arisen to fill demand for self hosting, this endeavor is about investing sufficient time and effort to keep it going.

In my estimation, it is no different then tending to a garden in the face of rising environmental calamities. You can and should do it, so long as you're fully informed about the effort required.

[–] Auth@lemmy.world 1 points 4 days ago

Thanks for the answer, it was very helpful and thnaks to everyone else you answered in this thread.