this post was submitted on 26 Aug 2023
24 points (100.0% liked)

Self Hosted - Self-hosting your services.

11447 readers
2 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Cross-posting

If you see a rule-breaker please DM the mods!

founded 3 years ago
MODERATORS
 

For example, I prefer to use a VPN instead of port forwarding. And I use SSH for anything I used to use an FTP for.

top 16 comments
sorted by: hot top controversial new old
[–] thisisawayoflife@lemmy.world 10 points 1 year ago

I share services with the public, so... strong passwords on everything, MFA, host scanning, SSH MAC/KEX/ciphers tweaked to ultra modern set and exposed only with keys with f2b activating on first failure, constant backups and automatic updates and scheduled reboots. Has worked great for a decade+.

SSH key auth for terminal login, plus an nginx proxy and client cert auth on anything accessible by the outside world. I'll expose any internal service I want because nobody is getting through the client cert auth.

[–] A10@kerala.party 4 points 1 year ago* (last edited 1 year ago)

I use a non standard ssh port, Fail2ban, wiregusrd vpn for some services

[–] zelifcam@lemmy.ml 2 points 1 year ago
[–] poVoq@slrpnk.net 2 points 1 year ago (1 children)

TOTP MFA highly recommended on SSH and webconsole. The so called "google-authenticator" makes it easy and despite the name does not use any external Google services.

[–] ReversalHatchery@beehaw.org 5 points 1 year ago (1 children)

Yes, but if using an android phone, the Aegis app may be a better choice. Guaranteed to not have tracking, and secrets are encrypted

[–] poVoq@slrpnk.net 1 points 1 year ago* (last edited 1 year ago) (1 children)

That is indeed what I am using as well. The "google-authenticator" is just an (badly named) open source software that runs on the server and is available in most Linux distro repositories.

[–] ReversalHatchery@beehaw.org 1 points 1 year ago (1 children)

Oh, you mean the PAM module?

[–] poVoq@slrpnk.net 1 points 1 year ago

It can function as that as well AFAIK.

[–] Sharpiemarker@feddit.de 2 points 1 year ago* (last edited 1 year ago)
[–] const_void@lemmy.ml 1 points 1 year ago (1 children)
[–] splendoruranium@infosec.pub 3 points 1 year ago* (last edited 1 year ago) (2 children)

IP whitelisting

How do you do that? I understand how blocklisting would work but how does whitelisting work in practice? How can you know in advance from which IPs you will connect to your home network in the future? That just seems like a recipe for getting stranded in some hotel without a way into your network.

[–] Dogeek@sh.itjust.works 1 points 1 year ago

You could host a proxy on a vps, somewhere, and use that vps ip address for the whitelisting. At this point setting up a VPN sounds more convenient though

[–] const_void@lemmy.ml 1 points 1 year ago (1 children)

Blacklist everything then whitelist the IPs you know you'll be connecting from (work, cell phone, etc). I don't connect from random places usually. If I need to then I use cellular. You might be better off with a VPN if you need to connect from random places.

[–] splendoruranium@infosec.pub 1 points 1 year ago (1 children)

Blacklist everything then whitelist the IPs you know you’ll be connecting from (work, cell phone, etc). I don’t connect from random places usually. If I need to then I use cellular. You might be better off with a VPN if you need to connect from random places.

I see, thanks!
Is there any concern with whitelisting a cellular CGNAT's public IP? Presumably that would potentially whitelist thousands or tens of thousands of other mobile devices at once, wouldn't it?

[–] const_void@lemmy.ml 0 points 1 year ago

Is there any concern with whitelisting a cellular CGNAT’s public IP?

It depends on how much you decide to whitelist. In my case I whitelist my cellular carrier's IP block. Which does expose those services a little more broadly but I'm willing to risk it.