this post was submitted on 12 Apr 2025
54 points (98.2% liked)

Selfhosted

45718 readers
524 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
54
If Nothing is Exposed, Am I Safe? (lemmy.dbzer0.com)
submitted 21 hours ago* (last edited 21 hours ago) by No_Bark@lemmy.dbzer0.com to c/selfhosted@lemmy.world
15 comments fedilink hide all child comments
 

Hello most excellent Selfhosted community,

I'm very new to this and am confused about how vulnerable my server and/or home network is with my current setup.

I just got a basic server up and running on a machine with proxmox and a DAS for 10tb of storage. I've got two LXCs running for a docker deployed arr stack and jellyfin+jellyseer stack. The proxmox server is connected to a router attached to a fiber ONT. Everything is accessed over the home LAN network and that's it.

Everything is working correctly and my containers are all talking to each other correctly via ip addresses (gluetun network on the arr stack container). I've been reading up on reverse proxies and tailscale to connect to the server from outside my LAN network, and it's mostly gone over my head, but it did make me concerned about my network security.

Is my current set up secure, assuming strong passwords were used for everything? I think it is for my current uses - but I could use a sanity check, I'm tired. I'm open to any suggestions or advice.

I own a domain that I don't use for anything, so it would be cool to get reverse proxy working, but my attempts so far have failed and I learned I'm behind a double NAT (ONT and router) - and attempts to bypass that by setting the ONT into bridge mode have also failed. I don't really need to access anything from outside my home network right now - but I would like to in the future.

you are viewing a single comment's thread
view the rest of the comments
[–] IsoKiero@sopuli.xyz 4 points 20 hours ago

Is my current set up secure, assuming strong passwords were used for everything?

Network security is a complicated beast to manage. If general public can access your services over the internet, that's a threat you need to mitigate. Strong passwords is a good start on that, but it doesn't take into account if there's a flaw or bug on the service you're running. Also if you have external users, they might reuse their passwords and leak for those might cause a threat too, specially if there's privilege escalation bugs on the software you're running.

And so on, it's a too wide field to cover in a short comment here, but when you're building your stuff, and what is maybe the most disticntive feature on a good professional between a not so good one, is to think ahead and prepare for every imaginable scenario where something goes wrong. Every time you add a way to access your network, no matter how minuscle, think what happens if that way gets compromised and what it might mean on the very worst case.

Maybe you want to add another access point to your network since your terrace isn't properly covered. That's nice to have, but now everyone around 100 meters around your house/apartment might have access to your stuff if they can break your wifi security. Maybe you set up a reverse proxy or tailscale on the stack. Now the whole internet can at least probe your stuff and try to find vulnerabilities, try to use stolen credentials and even try to social engineer their way into your stuff. Or maybe you made an mistake and left something open that shouldn't be.

I'm not trying to scare you off out of anything. Go ahead and play with your stuff, break things, learn how to fix them, have fun while doing it. Just remember to think ahead about worst case scenarios, weigh their risks, think ahead and then go on. Learn about DNAT, reverse proxies, VPN and network layers and whatever you come across on your adventure but keep in mind that shit will hit the fan at some point. And learn to accept that, learn from your mistakes and do better next time.