Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

MangoPenguin , 7 days ago

Getting DDOSed or hacked is very very rare for anyone self hosting. DDOS doesn’t really happen to random people hosting a few small services, and hacking is also rare because it requires that you expose something with a significant enough vulnerability that someone has a way into the application and potentially the server behind it.

But it’s good to take some basic steps like an isolated VLAN as you’ve mentioned already, but also don’t expose services unless you need to. Immich for example if it’s just you using it will work just fine without being exposed to the internet.

Lifebandit666 , 7 days ago

I’ve self hosted home assistant for a few years, external access through Cloud flare now because it’s been so stablez but previously used DuckDNS which was a bit shit if I’m honest.

I got into self hosting proper earlier this year, I wanted to make something that I could sail the 7 seas with.

I use Tailscale for everything.

The only open port on my router is for Plex because I’m a socialist and like to share my work with my friends.

Just keep it all local and use it at home. If you wanna take some of your media outside with you, download it onto your phone before you leave

thirdBreakfast , 8 days ago

Yeah na, put your home services in Tailscale, and for your VPS services set up the firewall for HTTP, HTTPS and SSH only, no root login, use keys, and run fail2ban to make hacking your SSH expensive. You’re a much smaller target than you think - really it’s just bots knocking on your door and they don’t have a profit motive for a DDOS.

From your description, I’d have the website on a VPS, and Immich at home behind TailScale. Job’s a goodun.

filister , 7 days ago

Just changing the SSH port to non standard port would greatly reduce that risk. Disable root login and password login, use VLANs and containers whenever possible, update your services regularly and you will be mostly fine

Darkassassin07 , 7 days ago

Drink less paranoia smoothie…

I’ve been self-hosting for almost a decade now; never bothered with any of the giants. Just a domain pointed at me, and an open port or two. Never had an issue.

Don’t expose anything you don’t share with others; monitor the things you do expose with tools like fail2ban. VPN into the LAN for access to everything else.

filister , 8 days ago (edited 7 days ago)

If you are behind CGNAT and use some tunnel (Wireguard, Tailscale, etc.) to access your services which are running on Docker containers, the attack vector is almost not existing.

Evotech , 8 days ago

A VPS with fail2ban is all you need really. Oh and don’t make ssh accounts where the username is the password. That’s what I did once, but the hackers were nice, they closed the hole and then just used it to run a irc client because the network and host was so stable.

Found out by accident, too bad they left their irc username and pw in cleartext. Was a fun week or so messing around with their channels

fluckx , 8 days ago

Talk about a reverse UNO card.

Valon_Blue , 8 days ago

I’ve been self hosting for 2 or 3 years and haven’t been hacked, though I fully expect it to happen eventually(especially if I start posting my blog in places). I’d suggest self hosting a VPN to get into your home network and not making your apps accessible via the internet unless 100% necessary. I also use docker containers to minimize the apps access to my full system. Best of luck!

___ , 8 days ago

If your needs are fairly low on the processing side, you can snag a cloud VPS on LowEndBox for five or six dollars a month. Quality is highly variable ofc, but I’m reasonably my happy with mine.

No AWS, etc (though I don’t know offhand where the actual box lives), SSH access defaults to a key, and the rest (firewall, reverse proxy if you like, and all the other best practices) are but an apt-get away and a quick searxng to find and dissect working configs.

Incidentally, searxng is a good place to start- dead easy to get rolling,and a big step towards degoogling your life. Stand it up, throw a pretty standard config at nginx, and do a certbot —nginx -d search.mydomain.com - that all there is to it.

YMMV with more complex apps,but there is plenty of help to be had.

Oh…. Decide early on if anonymity is a goal,or you’re ok tying real life identity to your server if someone cares to look. Register domains and make public facing choices accordingly.

Either choice is acceptable if it’s the right one for you, but it’s hard to change once you pick a path.

I’m a big fan of not hosting on prem simply because it’s one more set of cables to trip over, etc. But for a latte a month in hosting costs, it’s worth it to me.

ikidd , 8 days ago

Use a firewall like OPNsense and you’ll be fine. There’s a Crowdsec plugin to help against malicious actors, and for the most part, nothing you’re doing is worth the trouble to them.

Confused_Emus , 8 days ago

I host a handful of Internet facing sites/applications from my NAS and have had no issues. Just make sure you know how to configure your firewall correctly and you’ll be fine.

ShellMonkey , 8 days ago

It depends on what your level of confidence and paranoia is. Things on the Internet get scanned constantly, I actually get routine reports from one of them that I noticed in the logs and hit them up via an associated website. Just take it as an expected that someone out there is going to try and see if admin/password gets into some login screen if it’s facing the web.

For the most part, so long as you keep things updated and use reputable and maintained software for your system the larger risk is going to come from someone clicking a link in the wrong email than from someone haxxoring in from the public internet.

BrianTheeBiscuiteer , 8 days ago

Other than the low chance of you being targeted I would say only expose your services through something like Wireguard. Other than the port being open attackers won’t know what it’s for. Wireguard doesn’t respond if you don’t immediately authenticate.

unknowing8343 , 8 days ago

Not my experience so far with my single service I’ve been running for a year. It’s making me even think of opening up even more stuff.

Decronym Bot , 8 days ago (edited 11 hours ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
CGNAT	Carrier-Grade NAT
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
NAS	Network-Attached Storage
NAT	Network Address Translation
NFS	Network File System, a Unix-based file-sharing protocol known for performance and efficiency
Plex	Brand of media server package
SSH	Secure Shell for remote terminal access
SSL	Secure Sockets Layer, for transparent encryption
TLS	Transport Layer Security, supersedes SSL
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)
nginx	Popular HTTP server

---

13 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

[Thread #832 for this sub, first seen 26th Jun 2024, 10:25] [FAQ] [Full list] [Contact] [Source code]

amanda , 8 days ago

Can you (or a human) expand NPM, presumably not the Node Package Manager?

LunarLoony , 8 days ago

NPM

Nginx Proxy Manager, I assume

Apollo2323 , 8 days ago

Hey no to be harsh or anything but did you actually made your research? Plenty of people self host websites on their house without AWS , Google or Cloudfare and it works fine.