Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?

qaz , 7 days ago

You can simply set up a VPN for your home network (e.g. Tailscale, Netbird, Headscale, etc.) and you won’t have to worry about attacks. Public services require a little more work, you will need to rely on a service from a company, either a tunnel (e.g. Tailscale funnel) or a VPS.

ransomwarelettuce , 7 days ago

mmm netbird seems cool, any experience with it?

qaz , 7 days ago

No, I’m currently using Tailscale but have been considering switching to Netbird to not be reliant on Tailscale.

Catsrules , 7 days ago (edited 7 days ago)

Public services require a little more work, you will need to rely on a service from a company, either a tunnel (e.g. Tailscale funnel) or a VPS.

I have been hosting random public services for years publicly and it hasn’t been an issue.

Edit, I might have miss understood the definition of public. I have hosted stuff publicly, however everything was protected by a login screen. So it wasn’t something a random person could make use of.

vzq , 8 days ago

It’s very possible. If you carefully manage your attack surface and update your software regularly, you can mitigate your security risks quite a bit.

The main problem is going to be email. I have found no reliable way to send email that does not start with “have someone else do it for you” or “obtain an IP block delegation”.

cron , 8 days ago

email isn’t that hard when you have a static IP, either from your network provider or via a VPS. Then, setup SPF, DKIM and DMARC and you’re good to go (at least for simple use cases like notifications. When you want to send out thousands of emails, you might need more.)

octopus_ink , 8 days ago

I have servers on Digital Ocean and Linode and also one in my basement, and have had no problem. I do have all services behind NPM (not to suggest it’s a panacea) and use HTTPS/SSH for everything. (not to suggest HTTPS/SSH are either) My use case could be different than yours - my immediate family are my only consumers - but have been running the same services in those locations for a few years now without issue.

filister , 8 days ago (edited 8 days ago)

If you are behind CGNAT and use some tunnel (Wireguard, Tailscale, etc.) to access your services which are running on Docker containers, the attack vector is almost not existing.

ikidd , 8 days ago

Use a firewall like OPNsense and you’ll be fine. There’s a Crowdsec plugin to help against malicious actors, and for the most part, nothing you’re doing is worth the trouble to them.

BrianTheeBiscuiteer , 8 days ago

Other than the low chance of you being targeted I would say only expose your services through something like Wireguard. Other than the port being open attackers won’t know what it’s for. Wireguard doesn’t respond if you don’t immediately authenticate.

kylian0087 , 8 days ago

If you are afraid of being ddosed which is very unlikely. Cloudflare has free ddos protection. You can put some but not all things behind their proxy.

Also instead of making things publicly available look in to using a VPN. Wireguard with “wireguard easy” makes this very simple.

VLANs do not make you network magically more secure. But when setup correctly can increase security a load if something has already penetrated the network. But also just to streamline a network and allow or deny some parts of the network.

___ , 8 days ago

If your needs are fairly low on the processing side, you can snag a cloud VPS on LowEndBox for five or six dollars a month. Quality is highly variable ofc, but I’m reasonably my happy with mine.

No AWS, etc (though I don’t know offhand where the actual box lives), SSH access defaults to a key, and the rest (firewall, reverse proxy if you like, and all the other best practices) are but an apt-get away and a quick searxng to find and dissect working configs.

Incidentally, searxng is a good place to start- dead easy to get rolling,and a big step towards degoogling your life. Stand it up, throw a pretty standard config at nginx, and do a certbot —nginx -d search.mydomain.com - that all there is to it.

YMMV with more complex apps,but there is plenty of help to be had.

Oh…. Decide early on if anonymity is a goal,or you’re ok tying real life identity to your server if someone cares to look. Register domains and make public facing choices accordingly.

Either choice is acceptable if it’s the right one for you, but it’s hard to change once you pick a path.

I’m a big fan of not hosting on prem simply because it’s one more set of cables to trip over, etc. But for a latte a month in hosting costs, it’s worth it to me.

Lifebandit666 , 7 days ago

I’ve self hosted home assistant for a few years, external access through Cloud flare now because it’s been so stablez but previously used DuckDNS which was a bit shit if I’m honest.

I got into self hosting proper earlier this year, I wanted to make something that I could sail the 7 seas with.

I use Tailscale for everything.

The only open port on my router is for Plex because I’m a socialist and like to share my work with my friends.

Just keep it all local and use it at home. If you wanna take some of your media outside with you, download it onto your phone before you leave

Flax_vert , 7 days ago

If your SSH is using key authentication and you don’t have anything silly as an attack vector, you should be grand.

possiblylinux127 , 7 days ago

People who ho get compromised are the ones who expose a password authentication service with a short memorable password

bizdelnick , 8 days ago

It is easy to get hacked if you make stupid mistakes. Just don’t make them.

possiblylinux127 , 7 days ago

This is honestly true. Just follow good security practices

5ymm3trY , 7 days ago

Is this some sort of insider I am not aware of? I always see these kind of replies and I never understand them. Why even write anything if you don’t have anything meaningful to add to the conversation? This is a genuine question to both of you. I mean, yes, it might be true that everything is fine and dandy if you follow good security practices? But how does that help a beginner? Its like saying driving a car with manual transmission is easy. You just need to know the numbers from 1 to 6 and that a higher number makes the car go faster. Even though this might be technically true, it doesn’t help anybody.

deafboy , 7 days ago

Of course security comes with layers, and if you’re not comfortable hosting services publically, use a VPN.

However, 3 simple rules go a long way:

1. Treat any machine or service on a local network as if they were publically accesible. That will prevent you from accidentally leaving the auth off, or leaving the weak/default passwords in place.
2. Install services in a way that they are easy to patch. For example, prefer phpmyadmin from debian repo instead of just copy pasting the latest official release in the www folder. If you absolutely need the latest release, try a container maintained by a reasonable adult. (No offense to the handful of kids I’ve known providing a solid code, knowledge and bugreports for the general public!)
3. Use unattended-upgrades, or an alternative auto update mechanism on rhel based distros, if you don’t want to become a fulltime sysadmin. The increased security is absolutely worth the very occasional breakage.
4. You and your hardware are your worst enemies. There are tons of giudes on what a proper backup should look like, but don’t let that discourage you. Some backup is always better than NO backup. Even if it’s just a copy of critical files on an external usb drive. You can always go crazy later, and use snapshotting abilities of your filesystem (btrfs, zfs), build a separate backupserver, move it to a different physical location… sky really is the limit here.

possiblylinux127 , 7 days ago

If you do it right you shouldn’t get hacked. Even if you do you can keep good immutable backups so you can restore. Also make sure you monitor everything for bad behavior or red flags.

Valon_Blue , 8 days ago

I’ve been self hosting for 2 or 3 years and haven’t been hacked, though I fully expect it to happen eventually(especially if I start posting my blog in places). I’d suggest self hosting a VPN to get into your home network and not making your apps accessible via the internet unless 100% necessary. I also use docker containers to minimize the apps access to my full system. Best of luck!

ShellMonkey , 8 days ago

It depends on what your level of confidence and paranoia is. Things on the Internet get scanned constantly, I actually get routine reports from one of them that I noticed in the logs and hit them up via an associated website. Just take it as an expected that someone out there is going to try and see if admin/password gets into some login screen if it’s facing the web.

For the most part, so long as you keep things updated and use reputable and maintained software for your system the larger risk is going to come from someone clicking a link in the wrong email than from someone haxxoring in from the public internet.