Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

ikidd , 8 days ago

Use a firewall like OPNsense and you’ll be fine. There’s a Crowdsec plugin to help against malicious actors, and for the most part, nothing you’re doing is worth the trouble to them.

just_another_person , 8 days ago

Firewall, Auth on all services, diligent monitoring, network segmentation (vlans are fine), and don’t leave any open communications ports, and you’ll be fine.

Further steps would be intrusion detecting/banning like crowdsec for whatever apps leave world accessible. Maybe think about running a BSD host and using jails.

ryannathans , 8 days ago

Freebsd here with jails, very smooth running and low maintenance. Can’t recommend it enough

s38b35M5 , 8 days ago

Love jails. My server didn’t move with me to Central America, and I miss Free/TrueNAS jails

ryannathans , 18 hours ago

Dw truenas core is dead/EoL so it’s either truenas scale (Debian) or freebsd now

s38b35M5 , 10 hours ago

EoL? They’re releasing betas regularly and announced 13.3 for Q2. You mean how they’re sort of winding down with scale taking the bulk of dev cycles? Not much to change with the platform, and security fixes will be backported to CORE. I think SCALE still doesn’t fit my use-case, hut when it does, and jails go away with CORE, I’ll shed a tear and pour one out for my homie.

HumanPerson , 8 days ago

You can. I am lucky enough to not have been hacked after about a year of this, and I use a server in the living room. There are plenty of guides online for securing a server. Use common sense, and also look up threat modeling. You can also start hosting things locally and only host to the interwebs once you learn a little more. Basically, the idea that you need cloudflare and aws to not get hacked is because of misleading marketing.

Auli , 7 days ago

Man if your lucky enough after a year I must be super duper lucky with well over a decade.

___ , 8 days ago

If your needs are fairly low on the processing side, you can snag a cloud VPS on LowEndBox for five or six dollars a month. Quality is highly variable ofc, but I’m reasonably my happy with mine.

No AWS, etc (though I don’t know offhand where the actual box lives), SSH access defaults to a key, and the rest (firewall, reverse proxy if you like, and all the other best practices) are but an apt-get away and a quick searxng to find and dissect working configs.

Incidentally, searxng is a good place to start- dead easy to get rolling,and a big step towards degoogling your life. Stand it up, throw a pretty standard config at nginx, and do a certbot —nginx -d search.mydomain.com - that all there is to it.

YMMV with more complex apps,but there is plenty of help to be had.

Oh…. Decide early on if anonymity is a goal,or you’re ok tying real life identity to your server if someone cares to look. Register domains and make public facing choices accordingly.

Either choice is acceptable if it’s the right one for you, but it’s hard to change once you pick a path.

I’m a big fan of not hosting on prem simply because it’s one more set of cables to trip over, etc. But for a latte a month in hosting costs, it’s worth it to me.

Evotech , 8 days ago

A VPS with fail2ban is all you need really. Oh and don’t make ssh accounts where the username is the password. That’s what I did once, but the hackers were nice, they closed the hole and then just used it to run a irc client because the network and host was so stable.

Found out by accident, too bad they left their irc username and pw in cleartext. Was a fun week or so messing around with their channels

fluckx , 8 days ago

Talk about a reverse UNO card.

Valon_Blue , 8 days ago

I’ve been self hosting for 2 or 3 years and haven’t been hacked, though I fully expect it to happen eventually(especially if I start posting my blog in places). I’d suggest self hosting a VPN to get into your home network and not making your apps accessible via the internet unless 100% necessary. I also use docker containers to minimize the apps access to my full system. Best of luck!

bizdelnick , 8 days ago

It is easy to get hacked if you make stupid mistakes. Just don’t make them.

possiblylinux127 , 7 days ago

This is honestly true. Just follow good security practices

5ymm3trY , 7 days ago

Is this some sort of insider I am not aware of? I always see these kind of replies and I never understand them. Why even write anything if you don’t have anything meaningful to add to the conversation? This is a genuine question to both of you. I mean, yes, it might be true that everything is fine and dandy if you follow good security practices? But how does that help a beginner? Its like saying driving a car with manual transmission is easy. You just need to know the numbers from 1 to 6 and that a higher number makes the car go faster. Even though this might be technically true, it doesn’t help anybody.

filister , 7 days ago (edited 7 days ago)

If you are behind CGNAT and use some tunnel (Wireguard, Tailscale, etc.) to access your services which are running on Docker containers, the attack vector is almost not existing.

Flax_vert , 7 days ago

If your SSH is using key authentication and you don’t have anything silly as an attack vector, you should be grand.

possiblylinux127 , 7 days ago

People who ho get compromised are the ones who expose a password authentication service with a short memorable password

qaz , 7 days ago

You can simply set up a VPN for your home network (e.g. Tailscale, Netbird, Headscale, etc.) and you won’t have to worry about attacks. Public services require a little more work, you will need to rely on a service from a company, either a tunnel (e.g. Tailscale funnel) or a VPS.

ransomwarelettuce , 7 days ago

mmm netbird seems cool, any experience with it?

qaz , 7 days ago

No, I’m currently using Tailscale but have been considering switching to Netbird to not be reliant on Tailscale.

Catsrules , 7 days ago (edited 7 days ago)

Public services require a little more work, you will need to rely on a service from a company, either a tunnel (e.g. Tailscale funnel) or a VPS.

I have been hosting random public services for years publicly and it hasn’t been an issue.

Edit, I might have miss understood the definition of public. I have hosted stuff publicly, however everything was protected by a login screen. So it wasn’t something a random person could make use of.

Darkassassin07 , 7 days ago

Drink less paranoia smoothie…

I’ve been self-hosting for almost a decade now; never bothered with any of the giants. Just a domain pointed at me, and an open port or two. Never had an issue.

Don’t expose anything you don’t share with others; monitor the things you do expose with tools like fail2ban. VPN into the LAN for access to everything else.

Lifebandit666 , 7 days ago

I’ve self hosted home assistant for a few years, external access through Cloud flare now because it’s been so stablez but previously used DuckDNS which was a bit shit if I’m honest.

I got into self hosting proper earlier this year, I wanted to make something that I could sail the 7 seas with.

I use Tailscale for everything.

The only open port on my router is for Plex because I’m a socialist and like to share my work with my friends.

Just keep it all local and use it at home. If you wanna take some of your media outside with you, download it onto your phone before you leave

MangoPenguin , 7 days ago

Getting DDOSed or hacked is very very rare for anyone self hosting. DDOS doesn’t really happen to random people hosting a few small services, and hacking is also rare because it requires that you expose something with a significant enough vulnerability that someone has a way into the application and potentially the server behind it.

But it’s good to take some basic steps like an isolated VLAN as you’ve mentioned already, but also don’t expose services unless you need to. Immich for example if it’s just you using it will work just fine without being exposed to the internet.

traches , 7 days ago

Use any old computer you have lying around as a server. Use Tailscale to connect to it, and don’t open any ports in your home firewall. Congrats, you’re self-hosting and your risk is minimal.

OpossumOnKeyboard , 7 days ago

Exactly what I do and works like a dream. Had a VPS and nginx to proxy domain to it but got rid of it because I really had no use for it, the Tailscale method worked so well.

rottedmood , 5 days ago

I’ve been thinking of trying this (or using Caddy instead of nginx) so I could get Nextcloud running on an internal server but still have an external entry point (spousal approval) but after setting up the subdomain and then starting caddy and watching how many times that subdomain started to get scanned from various Ips all over the world, I figured eh that’s not a good plan. And I’m a nobody and don’t promote my domain anywhere.

possiblylinux127 , 7 days ago

If you do it right you shouldn’t get hacked. Even if you do you can keep good immutable backups so you can restore. Also make sure you monitor everything for bad behavior or red flags.