Selfhosted

39226 readers

388 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Home Server Security (sh.itjust.works)

submitted 1 year ago by beppi@sh.itjust.works to c/selfhosted@lemmy.world

28 comments fedilink hide all child comments

Hey guys,

Currently im just running calibre and nextcloud docker containers over the web, with a ddns from noip and a cloudflare domain. But i also want to setup a vaultwarden container too, so now i need to really consider the security of my server. What are the main things to watch out for? Calibre and nextcloud are just using subdomains, is it okay to have a subdomain to connect to vaultwarden? Am i better off just trusting bitwarden and sticking with them?

Thanks!

you are viewing a single comment's thread
view the rest of the comments

[–] gobbling871@lemmy.world -2 points 1 year ago (1 children)

I always see guys swearing by Wireguard for VPN access as a security measure and seems to me like if someone unauthorized gets your public key, they have access to the kingdom.

[–] Scholars_Mate@lemmy.world 2 points 1 year ago (1 children)

It's your private key, but yes, you would need to keep it secret just like you would an SSH key.

The benefits of a VPN are that you don't need to open ports up to the internet and rely on your individual services to be secure. Your VPN would authenticate users and ensure that the communication over the tunnel is encrypted (useful if you don't want to set up SSL/https). They can also hide what services you are hosting or even hide the fact that you are even running a VPN.

Private keys are going to be far more secure than passwords since you really can't brute force them in the same way you can passwords. Getting ahold of someone's private key is probably going to be far more difficult than guessing their password. Even if an attacker were to get ahold of your private key, they would still need to contend with the security of your service, e.g. logging into it, which would be no worse than not having a VPN.

[–] gobbling871@lemmy.world 1 points 1 year ago (1 children)

You don't get any network isolation with this approach vs a service running in its own dedicated virtual network. Just for this reason, I think Wireguard as a VPN access to other local services is insecure.

[–] hungover_pilot@lemmy.world 3 points 1 year ago

Just because your using a VPN doesn't mean you can't isolate hosts to a separate network. I keep my services in a different VLAN and I can route/firewall traffic between that network and anywhere else as I please.