Selfhosted

39151 readers

309 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Basic Security for your Website | Loudwhisper (loudwhisper.me)

submitted 1 month ago by loudwhisper@infosec.pub to c/selfhosted@lemmy.world

29 comments fedilink hide all child comments

Hi, recently (ironically, right after sharing some of my posts here on Lemmy) I had a higher (than usual, not high in general) number of "attacks" to my website (I am talking about dumb bots, vulnerability scanners and similar stuff). While all of these are not really critical for my site (which is static and minimal), I decided to take some time and implement some generic measures using (mostly) Crowdsec (fail2ban alternative?) and I made a post about that to help someone who might be in a similar situation.

The whole thing is basic, in the sense that is just a way to reduce noise and filter out the simplest attacks, which is what I argue most of people hosting websites should be mostly concerned with.

you are viewing a single comment's thread
view the rest of the comments

[–] loudwhisper@infosec.pub 6 points 1 month ago (1 children)

Thanks! I did mention this briefly, although I belong to the school that "since I am anyway banning IPs that fail authentication a few times, it's not worth changing the port". I think that it's a valid thing especially if you ingest logs somewhere, but if you do don't choose 2222! I have added a link to shodan in the post, which shows that almost everybody who changes port, changes to 2222!

[–] LostXOR@fedia.io 5 points 1 month ago* (last edited 1 month ago) (1 children)

Yeah, I just left my SSH port as 22 since I only use key-based authentication so there's really no security risk. Plus, it's funny going through the logs and looking at all the login attempts.

[–] loudwhisper@infosec.pub 1 points 1 month ago (1 children)

Yep I agree. Especially looking at all the usernames that are tried. I do the same and the only risk come from SSH vulnerabilities. Since nobody would burn a 0-day for SSH (priceless) on my server, unattended upgrades solve this problem too for the most part.

[–] kitnaht@lemmy.world 1 points 1 month ago (1 children)

I mean we just had https://nvd.nist.gov/vuln/detail/CVE-2024-6387 -- so my guess is that you're updating quite often to be so confident in your unattended upgrades.

[–] loudwhisper@infosec.pub 1 points 1 month ago

Yeah I know (I mentioned it myself in the post), but realistically there is no much you can do besides upgrading. Unattended upgrades kick in once a day and you will install the security patches ASAP. There are also virtual patches (crowdsec has a virtual patch for that CVE), but they might not be very effective.

I argue that VPN software is a smaller attack surface, but the problem still exists (CVEs) for everything you expose.