Unearthing this to ask specifically about the port forwarding comment by @ph00lt0.
I found a tutorial explaining how to install radicale (caldav server) on a raspberry pi, but it mentions port forwarding to access from outside the local network.
Is this a terrible idea? I have my own (non-ISP) router with OpenWRT and a pi attached to it. But I am a noob for self-host. Is there no safe way to leverage my pi to host my own caldav server?
Port forwarding basically means nobody is checking the traffic coming in on those ports. There is no filtering, no nothing, until it hits your device, assuming you do not have a actual hardware firmware.
There is a way that i would believe to be more safe and that is using tunnels like with Tailscale.
If you are a “noob” with (self)hosting I would really recommend not bothering. How can you protect yourself when you don’t even know how? Companies have entire teams doing monitoring and response.
Thanks, that’s what I was fearing. I briefly read about Tailscale but don’t really have the time to get into that now, I fear.
I actually have caldav support with my email provider, but it only supports minimal features and that’s making it of limited usefulness. Also not so eager to pay for yet another service. Maybe i’ll wait for Proton to have something like a task manager.
(Self)study computter science and information security? This is not a simple learn in a week thing imho. There are other threads on the forum with good books and podcasts already.
But I am a noob for self-host. Is there no safe way to leverage my pi to host my own caldav server?
This is not a quick solution, but something you could do (if only as a learning experience) is install a ssh server on your pi and set up port forwarding on your router to allow remote ssh logins. If you keep the ssh server updated with security fixes it is probably going to be secure, whereas I don’t know how secure radicale itself is. Use a strong password or ideally disable passwords and use a private key to authenticate.
Once you have the ability to ssh in to the pi remotely, you can then use ssh port forwarding to expose the radicale port only to users who have managed to authenticate via ssh. This adds an extra layer of protection and inconvenience.
If you knew what you were doing, the risk of port forwarding to publicly host it would be acceptable, but since you are a beginner it would be too big of a risk, especially due to risk of misconfiguration and forgetting to update.
The recommendation to use Tailscale is good. Only downside is you need to install the Tailscale app on every device, which acts as a mesh VPN and occupies your VPN slot on that OS. If this is not an option for you, you will need to skill up your self-hosting knowledge to be able to expose your radicale server to the public.
Everything, especially everything remote accessible.
That you even have to ask this question shows that you are not ready for hosting something publicly, yet. There are so many ways a server can be misconfigured, firewall, reverse proxy, containers, applications, ssh daemon, …
So it isn’t actually a vulnerability with port forwarding. Since nobody had been willing to answer my question, I wasn’t even sure what you guys were referring to. I am quite aware of ssh vulnerabilities and their mitigations. As for the other stuff, I don’t know how you expect people to learn without experience and research and asking questions
Regarding firewalls, would using a preconfigured distro like fedora server and only opening ports needed work? Is there something I’m missing here?
Asking questions is fine. And getting more experience by experimenting, too. But I would do this behind the safety of a VPN/Tailscale, before publicly opening ports to services. When you feel comfortable and have fine tuned everything, you can still open it in the future.
Fedora is not more preconfigured than some other distros.
Your question is not very specific to give you a good answer. For example if you use Docker, Docker by default will override your docker host OS’s firewall, which most beginners don’t expect and some never realize. You can change that, but to change it you first must know about it first. That’s just one example of the little things which can happen. It often does not have a big impact, because many networks have an additional firewall which could block it and only make attacks from inside the network a lot easier, but if your network does not, you will end up opening services to the public which will bring you in hell’s kitchen (databases, services without any access control, …).
Don’t get me wrong, I don’t want you to discourage from self-hosting, just start in a safe environment. For example put everything behind a VPN, use it and do testing without exposing it. Next step could be to replicate this setup to a cheap secondary server without any sensitive data within a DMZ and exposing it to the web, scanning the server and checking logs for some time. After some time you might get to a point where you feel confident to host publicly, even with sensitive data.