I’m going to be self-hosting for the first time ever. I was hoping y’all might be able to make some recommendations on really important things that I should consider. Tips and anything you wish you knew when you began self-hosting would be so much appreciated. On all topics, too: DNS, IPs, firewalls, etc.
I have been reading up on security/privacy, but it’s pretty overwhelming. Getting the server up and running will be smooth enough, but it’s the security stuff that seems the most daunting. I know very little about it, and don’t want to launch a server without locking things down.
I’m going to run Yunohost because that will work for my needs. I’m going to use Discourse and HedgeDoc with it. Others will follow, but that’s where I’ll begin.
Thank you so much in advance for any advice. I appreciate you.
Are you are self hosting on your own hardware at home or are you going to rent a VPS? You can self host run a lot of things at home with no problems but I would not recommend renting a VPS and running stuff there for a complete beginner.
One of the main things to consider is if you want to be able to access your stuff from outside of your network. Most people do, so there are a few ways to approach that.
You can simply set up a port forward on your router that points to a reverse proxy, but then you have to deal with the whole internet being able to see and poke at you.
You could also set up a VPS proxy like here so you can have a bit of separation from your home.
What I think is the best approach is to use VPNs to access your stuff. You can do normal wireguard or something like tailscale/zerotier. This way no one can see your lab without being connected to the VPN.
If possible, hosts services that use encryption to store the data, so if you server gets seized, suspended or hacked for any reason, your information will not be compromised
If you are going to have more than one server and you need a way to securely make them connect to each other without messing up with SSL certificates and opening ports to the internet, you can use Wireguard or a Mesh VPN (that uses Wireguard too) like Netmaker (my personal preference since I host a Netmaker server for myself and it’s light), Netbird or Tailscale, there is also yggdrasil which doesn’t need a central server like the ones that I mentioned before but that’s too advanced, but is also an option.
Use containerization if possible, Podman or Docker is fine. If any of your services has a vulnerability, they will not be able to reach your server itself, only the data of that container will be compromised. (This is not necessary with NixOS thanks to predefined SystemD services that are already hardened). In the end, most of the services that you will be running are made by different people, and you are probably not going to audit every commit to see the changes hehe.
Try to leave the least amount of sensitive data on your server, for example, you could host Bitwarden for yourself (Vaultwarden) on the server, but I personally would prefer to use KeepassXC and Syncthing to keep my passwords synced between devices without a central server ;3
Here is a good list of things you can host for yourself:
Edit:
Not really selfhosted related, but use an encrypted DNS on your devices and servers if possible, because your ISP or server provider will be able to see which domains do you query since DNS is plain text, unlike HTTPS ;3
For Android, you can use DNS over TLS, for Windows, DNS over HTTPS, for Linux, there is a lot of options, but I recommend using Unbound on your server and for PCs I recommend GitHub - AdguardTeam/dnsproxy: Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support, although you can also use Unbound on your PC, if up to you! But if you ask me, I use Unbound on servers because it supports DNS over TLS, and dnsproxy on PC because it supports DNS over QUIC ;3
About IPs, probably YunoHost is going to automate this (I haven’t used Yunohost, ever), but always try to listen to 127.0.0.1 on services that are going to be exposed trough a reverse proxy like NGINX or Caddy! That way you prevent the service for being exposed to the internet if the firewall is wrongly configured.
I could say more but I think that is enough, I don’t want to overwhelm you with a lot of information, so just feel free to ask if you are curious about something ;3
That will always depend of what you are searching to host. So I can’t give any recommendations that will work for everyone.
No, I don’t use any of those because I don’t log anything on the privacy public services that I host. I’ve tried fail2ban and it works well if you are just hosting things for yourself, crowdsec is also really good (with the big exception of the Crowdsec Central API, which has too many false positives, so it’s better to disable it if you host privacy related services like me since you can’t modify the ‘decisions’ of each IP that is listed, if you have used Crowdsec before, you will understand ;b)
So I just use rate limits and a nonJS captcha
But for private services that are not going to be public, I would go with Crowdsec, it’s kinda complicated to get it working but once you know how it works, it’s easy to make your own rules to filter bots and IPs using iptables or whatever.
I have never used Fedora on Desktop nor servers, so I have no opinion. I personally use Debian, Arch (never use Arch for a server) and NixOS
Thank you for this. This gives me something to research. This server will only be used by known people in a group of friends. Downtime won’t be a concern. So I won’t open it up for remote access. However, down the road, once I learn more, I’d like to self-host my own PeerTube server. So this information will be good for me to know for that purpose. I’ll do some research on this.
Wow. This is a lot of really meaningful information. Thank you!
I’m glad you mentioned not wanting to overwhelm. While I’m well versed in code, servers are a whole new world for me. So it’s definitely a lot to take in. But all of this is more or less familiar to me as topics. So it’s perfect. I’m going to research what you mentioned here.
Like others have said, avoid reverse proxies and use Tailscale to get up and running quickly w/o opening any ports on your network. If you develop more of a FOSS mentality, try to self host headscale or netbird on a VPS.
VPS are otherwise not necessary if you are running on prem, and IMO are only popular because YTers can make referrals off of them.
