116
Help me harden my home server (lemmy.sdf.org)
submitted 3 weeks ago by miau@lemmy.sdf.org to c/selfhosted@lemmy.world
59 comments fedilink

I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has "--net host", although the containers can access host services because they have the option "--map-guest-addr" set, so I don't know if this is any safer then "--net host".

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don't think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don't really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

Simpler alternative to prometheus-alertmanager and/or graphana? by miau in c/selfhosted@lemmy.world
[-] miau@lemmy.sdf.org 8 points 1 month ago

Have you played around with Grafana? It really is quite simple if you have prometheus already working.

For a home lab environment you dont even need to use prometheus-alertmanager. Grafana can handle alerts as well.

Grafana also has hundreds of pre-made dashboards you can import. Node monitoring is quite straightforward.

Assuming you have prometheus good to go, all you need to do is go to Grafana - Datasources, create a new datasource, point to your prometheus instance.

Then you can import the dashboards you want.

Now you can setup your alerts - you can use SMTP, telegram, slack among others for your notifications.

Meta fined $101 million by Ireland for storing hundreds of millions of passwords in plaintext by miau in c/privacy@lemmy.ml
[-] miau@lemmy.sdf.org 8 points 1 month ago

Your memory is not far off. Mark used failed logins to access other people's emails:

https://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3

I cant say if he intentionally saved passwords unencrypted, but he certainly saved login attempts

Beware this fatal design of automatic litter boxes from ali express or amazon or similar - they can be DEADLY by miau in c/cat@lemmy.world
[-] miau@lemmy.sdf.org 27 points 2 months ago

Thanks for sharing! Not all people are aware of the possible dangers and I believe we tend to assume things are safe nowadays.

Launch dates for upcoming Xbox games by miau in c/games@lemmy.world
[-] miau@lemmy.sdf.org 7 points 3 months ago

While I think Obsidian is pretty awesome I was disappointed with the outer worlds. Pentiment had a really interesting story though.

Launch dates for upcoming Xbox games by miau in c/games@lemmy.world
[-] miau@lemmy.sdf.org 6 points 3 months ago

Because its fun even if the input method isnt perfect. Specially so for casual gamers. Both ports for age of empires play really well on console and I suppose age of mythology will be just as great.

X says it is closing operations in Brazil due to judge's content orders by miau in c/technology@lemmy.world
[-] miau@lemmy.sdf.org 6 points 3 months ago

Does this harm twitter in any way?

I mean, if they are still reachable and usable in Brazil, they can still serve ads to those users and so it seems their business doesnt change much?

But there must have been some advantage for twitter in having an office there, otherwise they wouldnt have opened it in the first place.

An alternate timeline by miau in c/memes@lemmy.world
[-] miau@lemmy.sdf.org 12 points 3 months ago

I really liked it. It looks very clean and friendly. I can identify the ui elements with a glance. I know it is not modern and sleek and it doesnt look "gamer" at all, but function wise I think this is great.

The super-rich are disappointingly boring. by miau in c/rant@lemmy.sdf.org
[-] miau@lemmy.sdf.org 8 points 3 months ago

Thanks for the rant, loved reading through it.

It is an interesting thought to think that a poor person is given desire but those ultra rich seem to have converted all of theirs into "more, more, more". Almost like a dragon hiding in their cave hoarding all their treasures.

Why do so many people use NGINX? by miau in c/selfhosted@lemmy.world
[-] miau@lemmy.sdf.org 24 points 4 months ago

Honest question: why not use nginx?

I have run it in so many different scenarios, both professionally and personally, its crazy. Nginx has never failed me, literally. My homeserver is quite limited but nginx has a very small footprint, it performs beautifully well and it satisfies all my hosting, proxying, redirecting and streaming needs.

It works for modern and legacy applications, custom code, webhosting, supports all the modern features and its configuration is very easy with literal thousandsof examples available online.

Apache probably can do all that but I hate how unintuitive its configuration is to me personally. HAproxy cant do half the stuff nginx does.

As for caddy Ive heard of it but never really used it. What does it offer that nginx doesnt?

Overwatch 2 is finally bringing back 6v6 with tests to decide OW’s future by miau in c/games@lemmy.world
[-] miau@lemmy.sdf.org 6 points 4 months ago

I don't personally mind microtransactions as long as they are cosmetic only. What I do mind is how matchmaking got terribly bad.

[Community Challenge 43] Is This A Meme? by miau in c/imageai@sh.itjust.works
[-] miau@lemmy.sdf.org 8 points 4 months ago

Not a very recognizable meme, so I hope you guys at least find out what it is.

Prompt: "A human norse male wearing an iron helmet stands in a stone and wood city, lookong towards the camera. The helmet fully covers his face and its shadow hides his eyes. A yellowish cloth wraps his neck and covers his sholder."

Workflow: created using Bing AI.

Forgot to pay my domain for a year and now I have to spend £2200 ($3000) if I want to get it back by miau in c/selfhosted@lemmy.world
[-] miau@lemmy.sdf.org 7 points 4 months ago

I am sorry that happened to you

Thanks for sharing your story, though. I have a few domains, two of them being very important for me (one I use for all my emails, and the other one for all my self hosted stuff). So I'll be paying close attention to their renewal

I hope you can find another domain that you like and that you can transfer your stuff to it.

20
is forwardemail a scam? (lemmy.sdf.org)
submitted 4 months ago by miau@lemmy.sdf.org to c/privacy@lemmy.ml
12 comments fedilink

So I have recently found out about forward email just a few months ago.

I am currently using tuta as my email provider, and I have been doing so for the last three years. But I am not very happy with the closed ecosystem and locking of basic features behind paywalls.

So I decided to give forwardemail a go after reading about it on free software foundation's webmail systems (this is a web archive link, more on that later)

Now the thing is, the service works. But things don't really feel legit. They claim to have thousands of users but there's surprisingly little information about them other than their own website. The branding seems completely generic and pretty much all of their code seems to be coming from one single account with no real information.

There's a couple reviews about them on trust pilot but the positive ones mostly come from accounts where the only review is for forwardmail.net

I've read some discussion about them getting recommended on privacy guides, they sounded very professional and mentioned even wanting to get auditioned, but to the best of my knowledge that has not happened yet (please correct me if I am wrong). Worse than that they seemed to stop replying to the thread a couple months ago.

Finally, I realized today that FSF has removed their recommendation for forwardemail from their website

In conclusion, I have tested and the service does work, but I can't tell if there is something shady happening. What do you all think?

view more: next ›

miau

joined 1 year ago