Exposing stuff to the internet shouldn't be that scary... I haven't had any incident so far in 8 years. Yes, you see plenty of illegitimate access attempts in the logs, but if everything is properly patched, it should be OK.
Yes, I run many services and website on the public web from my homelab. Harden your server first. Like disabling root ssh login.
Also enable auto updates on your server. Use your router/server to block some counties using geoip (especially if those services are meant for only a couple of people within your county maybe?). You could also use block lists, there any many bad ip lists out there.
Configure rate limits in Nginx.
You also mentioned fail2ban. You can define many rules and actions. Like blocking ips that might go over your previously defined rate limits. Or 4xx action for ips that request a lot of non existing pages (404 errors) .
Also captcha won't cut it anymore today. Try https://github.com/TecharoHQ/anubis
Of course expose only what you want to expose, so only open ports in your firewall you really want to open. Ideally put everything behind a reverse proxy like Nginx.
Let's start with all of the things mentioned above. Ping me later if want to know more or have questions.
Harden your server first
Do you have any tutorials or guides on this handy?
Use your router/server to block some counties using geoip
Yeah, definitely all my users are in the same town/region/country as me. So this could be doable.
Configure rate limits in Nginx
Hm, currently using Caddy as my reverse proxy. I guess there's some module for this.
only open ports in your firewall you really want to open
The only port I need open is 443 for accessing Jellyfin and Immich. I can definitely block 22 from the public internet. And fuck it no automatic redirects from 80 to 443. TLS or bust.
Caddy is also fine.
I wrote a blog about server hardining and you might find it useful: https://blog.melroy.org/2023/server-hardening/
If you're looking to actually do Fail2ban, look into crowdsec first. It's a similar concept but instead of creating your own block lists by people hammering against your system until they're banned, it uses community-populated lists to pre-ban known bad actors.
I know a lot of people shit on it from a decentralization perspective, but I use Cloudflare to expose all my services. Then anyone who hits my sites has to go through Cloudflare's detections first. I have all my services behind a reverse proxy (nginx proxy manager) running locally, and that's the only though exposed to the Internet through my router, also that ONLY allows connections at all from Cloudflare IPs or my local network. My home IP is obfuscated, my services can only be accessed using the ports I define, and things are happy. I also block as much as possible on my router, and have automatic updates on all my server VMs/LXCs.
You could also set up a Cloudflare tunnel to go to the reverse proxy and avoid needing to expose anything to the direct Internet.
Just turn off caching for any media servers domains/subdomains if you go with Cloudflare, or else it will try to cache any media on their servers and it's technically a ToS violation so people get their accounts banned. It's a simple setup to disable cache though.
What kinds of things are you planning to expose? What I expose I hide behind a reverse proxy with IP whitelists. Whatever I don't need access to on the go I don't expose.
What kinds of things are you planning to expose?
Primarily Jellyfin and Immich.
What I expose I hide behind a reverse proxy with IP whitelists.
Do all your clients have fixed IPs? I have some clients that are phones or laptops, but I would imagine those change as people drive around to different cities or connect to different coffee shop WiFi.
Exposing services to the internet is a whole other game. Try wireguard first, i never had issues and use it mostly from my tablet.
I have all my services behind a reverse proxy and use Crowdsec to monitor and block automated attacks. I also have pocket-id for auth, I use SSO for apps that support it and others just require authentication to access them at all. The docs are pretty solid, it was easy to set up.
Make sure you know the services running on your server, the most likely way you could get attacked is by just leaving some vulnerable or misconfigured software running and accessible.
Also I'd probably set up account lockouts on any software you can, I know Jellyfin supports it.
I've had to stop using it on my Pixel. In the last few months I have more and more suddenly lost all connectivity outside of my tailscale network. I tried excluding apps but I still will randomly fail to receive SMS or calls, suddenly getting them delivered in a rush when I disconnect from tailscale.
If anyone has any tools to recommend troubleshooting the phones connection let me know. I have no idea how to learn more about the problem beyond the obvious "If tailscale isn't on, it doesn't happen."
GAAH! OK! I'M NOT CRAZY!
The exact same thing is happening to my wife's phone. We're both on Pixel 8s, have the same VPN settings, but for some magic reason Tailscale breaks only her phone. She has to turn off Tailscale and reboot her phone to regain connectivity.
These shenanigans is why I'm considering just exposing things to the public internet. I'm using Tailscale on several device types and Tailscale adds friction to all of my devices (except Arch where everything always works).
I understand the friction is there for a good reason, but my family doesn't. They just see that Jellyfin doesn't work and that all of this is buggy and maybe they just should sign up for Netflix instead of dealing with all of these bugs.
I've had a pretty good experience with it aside from this recent problem with my phone - Pixel 8 Pro. It's a big deal right now - I have a number of self hosted services I use on my phone accessed through a shared subnet via tailscale. When I left it enabled, multiple times a day I'd lose connectivity entirely. It would get fixed if I just quickly disable-enable it... at least until it randomly happens again in an hour or two. I started using spit tunneling, which I think fixed the connectivity issue for internet-dependent apps but nothing I tried fixed calls and texts.
Unfortunately, my mother has been having a number of health issues so there is no fucking way I'm going to risk missing calls and texts...so I just deal with being disconnected from my servers for now. I really wish there was a solution or something I could do to figure out what's going wrong. I can't keep trying random things and risk it. Calls from my mother are virtually the only calls I get, other than spam.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!