Opening your router to the Internet is risky. Are there any guides for the basics to keep things secure? Things like setting up fail2ban? My concern is that I’ll forget something obvious.

Edit: I haven’t had much of a chance to read through everything yet, but I really appreciate all these long, detailed responses. ❤️ Thanks folks!

  • Sethayy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    I skimmed over your entire comment minus the part about docker, so if you answered this somewhere and I’m a dumbass I already accept fault,

    that being said docker has taught me more about Linux than anything else, cause its like a micro Linux you can reliably bring up and take down on demand, without requiring risking breaking your GUI or something scary

    • TCB13@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      4 months ago

      Oh well, If you think you’re good with Docker go ahead use it, it does work but has its own dark side

      cause its like a micro Linux you can reliably bring up and take down on demand

      If that’s what you’re looking for maybe a look Incus/LXD/LXC or systemd-nspawn will be interesting for you.

      I hope the rest can help you have a more secure setup. :)

      Another thing that you can consider is: instead of exposing your services directly to the internet use a VPS a tunnel / reverse proxy for your local services. This way only the VPS IP will be exposed to the public (and will be a static and stable IP) and nobody can access the services directly.

      client —> VPS —> local server

      The TL;DR is installing a Wireguard “server” on the VPS and then have your local server connect to it. Then set something like nginx on the VPS to accept traffic on port 80/443 and forward to whatever you’ve running on the home server through the tunnel.

      I personally don’t think there’s much risk with exposing your home IP as part of your self hosting but some people do. It also depends on what protection your ISP may offer and how likely do you think a DDoS attack is. If you ISP provides you with a dynamic IP it may not even matter as a simple router reboot should give you a new IP.