Hey guys,
after reading up on selfhosting for weeks now I finally decided to take the plunge today and tried setting up my own nextcloud & jellyfin instances. For this purpose I am using a mini PC. (similiar to an Intel NUC)
Now I would like to make both services available to the internet so I could show images to friends while I’m at their place / watch movies with them.
The problem is I am currently not very educated on which security measures I would have to take to ensure that my server / mini PC doesn’t immediately become an easy target for a hacker, especially considering that I would host private photos on the nextcloud.
After googling around I feel like I find a lot of conflicting information as well as write-ups that I don’t fully grasp with my limited knowledge so if you guys have any general advice or even places to learn about all these concepts I would be absolutely delighted!
Thank you guys sooo much in advance for any and all help, the c/selfhosted community has been nothing but a great resource for me so far!!!
Best advice I can give is to make sure the default virtualhost on nginx/apache just sends a 404 to all requests to your IP, and only serve the apps you want when they’re accessed by the correct hostname. The vast majority of spammy scanners are just hitting all public IPs, so as long as you don’t tell them what you’re hosting you’ll be alright.
Then, I’d advise having some sort of basic web application firewall (WAF). Modsecurity is a common one, NAXSI is another. These take some time to set up, but are quite good at absorbing attempted attacks.
I serve HTTP 403 for all requests to the default vhost and log them, harvest IPs through a log aggregator (or just fail2ban) and tag them as bad bots/scanners, and eternal-ban them on all my hosts. Currently have 98451 addresses or networks in my ipset for these.
For requests to actual domains, I ban after a few unsuccessful authentication attempts. A WAF is nice to have (tedious but fun to set up) - currently working on improving my Modsecurity setup.
Other than that there is already good advice here:
systemd-analyze security
was mentioned, I also likelynis
anddebsecan
)Yep, banning scanners with
ipset
lists is a great solution. I use a slightly convoluted method to perma-ban abusers, but fail2ban also works great.https://nbailey.ca/post/block-scanners/