Using Fail2ban to protect exposed services (arvind.io)

submitted 1 month ago by paequ2@lemmy.today to c/selfhosted@lemmy.world

12 comments fedilink hide all child comments

I'm wondering if I'm starting to outgrow Tailscale... my wife keeps having networking issues on Android due to Tailscale, the Nvidia Shield kills the Tailscale app randomly, and my parents' TV doesn't have a Tailscale app...

I feel like the time is approaching to publicly expose some of my services to the internet...

Any other tips?

you are viewing a single comment's thread
view the rest of the comments

[-] melroy@kbin.melroy.org 2 points 1 month ago

Yes, I run many services and website on the public web from my homelab. Harden your server first. Like disabling root ssh login.

Also enable auto updates on your server. Use your router/server to block some counties using geoip (especially if those services are meant for only a couple of people within your county maybe?). You could also use block lists, there any many bad ip lists out there.

Configure rate limits in Nginx.

You also mentioned fail2ban. You can define many rules and actions. Like blocking ips that might go over your previously defined rate limits. Or 4xx action for ips that request a lot of non existing pages (404 errors) .

Also captcha won't cut it anymore today. Try https://github.com/TecharoHQ/anubis

Of course expose only what you want to expose, so only open ports in your firewall you really want to open. Ideally put everything behind a reverse proxy like Nginx.

Let's start with all of the things mentioned above. Ping me later if want to know more or have questions.

[-] paequ2@lemmy.today 2 points 1 month ago* (last edited 1 month ago)

Harden your server first

Do you have any tutorials or guides on this handy?

Use your router/server to block some counties using geoip

Yeah, definitely all my users are in the same town/region/country as me. So this could be doable.

Configure rate limits in Nginx

Hm, currently using Caddy as my reverse proxy. I guess there's some module for this.

only open ports in your firewall you really want to open

The only port I need open is 443 for accessing Jellyfin and Immich. I can definitely block 22 from the public internet. And fuck it no automatic redirects from 80 to 443. TLS or bust.

[-] melroy@kbin.melroy.org 1 points 1 month ago

Caddy is also fine.

I wrote a blog about server hardining and you might find it useful: https://blog.melroy.org/2023/server-hardening/

this post was submitted on 13 Nov 2025

8 points (100.0% liked)

Selfhosted

53973 readers

35 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz