this post was submitted on 17 Sep 2023
12 points (80.0% liked)

Selfhosted

40006 readers
582 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey guys,

I finally come around and started the journey of self-hosting and decided to get a VPS. After securing it, by making login via public-key default, I installed CasaOS and instantly regretted it since it now can be reached freely from the internet. A while ago, I read that you can limit the incoming connection to only VPN and ssh. And configured a Wireguard-VPN on the server via pivpn. But the server can still be reached from the internet. So what do I have to do now? Is it even the right choice, or am I missing something? How do you guys secure your VPS?

you are viewing a single comment's thread
view the rest of the comments
[–] chiisana@lemmy.chiisana.net 1 points 1 year ago (1 children)

Also before diving too deep into firewalls, which is a good idea none the less, just go to SSHd config and set ListenAddress to only listen on the VPN network address instead of public IP, and no one can connect via the public IP.

Keep it simple, and add complexity only as needed.

[–] Onion6068@feddit.de 2 points 1 year ago (1 children)

I personally prefer using public key encryption over passwords for ssh authentication. There's no need to rely on third-party VPN providers (like ZeroTier or Tailscale) or hosting your own "vpn server" for that purpose as ssh trafic is already encrypted.

The drawback of following the route you suggested is that you have to operate yet another service that could be misconfigured, potentially causing you to lose access to your server. If you're keen on further restricting access, consider whitelisting your static(!) IP address, the IP address ranges associated with your provider or the ranges assigned to your country for an additional layer of security.

[–] chiisana@lemmy.chiisana.net 1 points 1 year ago

I agree. I have all my servers “in the open”, and only use VPN when I need to route my egress through a different geographical location. The reason I’m saying to use ListenAddress instead is because OP is already got the VPN setup, and seems like not going to change from it. No point introducing yet another piece of complexity such as firewall to the mix when their objective can be achieved with what they’re already using.