selfhost noob question

Hey i’m planning to selfhost for the first time multiples services like vaultwarden on a VPS and i need to know a lot of things to start.

1. Can my VPS provider see the content in my vaultwarden ? password , logs etc..?
2. Can my VPS provider see which domain i’m using to host theses services ? Let’s say i selfhost searxng on “x.com” domain can my vps provider see i’m using this domain ?
3. How to secure my VPS server ? Like how do i protect myself from DDos attack, Hack, malware? Do people encrypt the hard drive in their vps ?

Thanks for any help

It isn’t truly self-hosting if you are using someone else’s hardware. All unencrypted data can be accessed by the owner of the hardware if they want to of course. Your password database should be encrypted, but things like logs and files stored in the clear will be accessible.

As an alternative you could use the VPS as a proxy for your own hardware. This has the benefit of masking your own IP and circumventing system port restrictions on residential Internet. The downside is that it adds complexity to the setup.

Anything that’s either unencrypted or encrypted at rest (with the private key stored on the server) will be visible to them.

Even if that information isn’t visibly stored on the server itself, the DNS record for your domain that points to the server IP will be publicly accessible, so you should assume that they can know that.

Hey i’m planning to selfhost for the first time multiples services like vaultwarden on a VPS and i need to know a lot of things to start.

I’m not a big fan of VPS, but it is a good start.

Can my VPS provider see the content in my vaultwarden ?

Depends on the content, but most senstive content like passwords, master-password, saved notes etc. He can’t see it.

But he can see your logs, e-mail addresses and so on.

Can my VPS provider see which domain i’m using to host theses services ? Let’s say i selfhost searxng on “x.com” domain can my vps provider see i’m using this domain ?

If you do not make some more advanced setup, yes.

How to secure my VPS server ?

This is a broad question ….

1. Use secure SSH keys like ECDSA with a passphrase
2. create a new admin account called “ad{yourname}” for example and give him sudo permission
3. Disable the root account
4. Use a ZTN like Netbird, Twingate or Tailscale to access your resources.
5. Use a firewall like UFW to block all non-public and sensitive ports
6. Use crowdsec
7. Try to harden your distro (I would recommand Almalinux for it)
8. Use docker to install software and never install it directly on the machine
9. harden your docker containers
10. and many more things

Like how do i protect myself from DDos attack,

You can’t.
DDoS attacks are a very primitive form of attack where the stronger one wins.
If the attacker has more bandwidth, he wins. If you have more bandwidth, you win.

There are three people who can protect you from a DDoS attack:

• Your hosting provider
• The ISP of your hosting provider
• A Anti-DDoS reverse Proxy hoster like Cloudflare or Bunny.net

Hack, malware?

As long as you do not install weird shit, always use docker containers and use offical repos, malware is pretty rare.
To prevent a hack, follow rules from hardening your server.

Do people encrypt the hard drive in their vps ?

This is possible and I do so, but a bit more advanced.
If you look for any easy tutorial Hetzner but a guide online how you can use FDE with a passphrase on a server you do not have hardware access.

It isn’t truly self-hosting if you are using someone else’s hardware.

I would not say so.

You can’t always use your homelab for things, one reason might be your ISP or bad internet connection.
I mean there are very few people how have a good cable to their house that could reach about 10Gbit/s, while most datacenters are able to.
In addition, why should self-hosting imply that it is my own hardware. We – the community – often refer to self-hosting if we are using our own services and have control over the server side, not directly about the hardware.

All unencrypted data can be accessed by the owner of the hardware if they want to of course

This is true, but you can use FDE with a passphrase to encrypt everything.
It is a tricky setup, but it works on most VPS providers.

Thanks you @Tux @PaleCrow55 for your reply guys i really appreciate. (I can’t @ everyone due to a limitation)

There is no way to hide that from them ?

Why you’re not ?

Can you teach me or show me where i can learn to do that please ?

There is no way to hide that from them ?

Depends on the logs.
Some information is saved outside your control. Like on their firewall or switches.

Can you teach me or show me where i can learn to do that please ?

Here is a guide how you can do it.

Even if you encrypt the disk the host can still extract RAM contents including the disk encryption key.
Anything you put on a VPS should either be considered public, disposable, or truly end-to-end-encrypted.

edit: there are some hosts such as Google which do offer memory encryption and attestation but that requires some setup and even then flaws have been found before wrt it

edit 2: you can slightly minimize amount of no longer used data sitting in ram by booting linux with init_on_free=1 for kernel zeroing and using the GrapheneOS hardened_malloc system-wide for userspace zeroing.

I would certainly agree with Tux in that “self-hosting” means that you’re hosting something on your own hardware and not just paying a different cloud provider to do it for you. Otherwise it would be weird for me to say that “I’m self-hosting on AWS”.

not just paying a different cloud provider to do it for you.

They don’t do it for you, they just rent you hardware.

Thanks for the link and ur help

So i should not host vaultwarden or searxng then ? What’s the point of buying a VPS if the owner of the VPS can do that ?

Yeah i’m agree my bad for that

If your data is fully e2ee then they can’t do that. I’m not sure if searxng can do that, but vaultwarden should.
To clarify, “fully e2ee” meaning that the decrypted data/decryption keys are never present on the server, ever.
[Edit:] The VPS provider would probably be able to know that you are using Vaultwarden software, but not be able to see that data that vaultwarden is handling, assuming e2ee.

I’d still question: do you need a VPS?

Going with just a little server in your home and connecting to it via Wireguard has no monthly cost and is more rewarding and easier to trust.

I personally don’t see the point of self-hosting vaultwarden. What are you really gaining over just using bitwarden? You don’t trust their E2EE and think that you can host it better? I doubt it.

The best, most secure apps don’t trust the server. The server could always be compromised with some man-in-the-middle type stuff. Your personal data should be encrypted, with your authentication as being the only way to decrypt it.

I fully agree with you, but you’re also replying to a self-labeled beginner here. VPS is much simpler for beginners to host things as you don’t need to figure out any of the server hardware, cables, etc… stuff. PG doesn’t do a good job of suggesting hardware (ex. raspberry pi) to use for self-hosting.

I don’t see how it is that much simpler, you can usually click an OS to install but that is it?
Otherwise you can still easily shoot your foot off with both if you don’t research/learn.

random picks, no affiliation, us-centric, both will wipe the floor compared to any cheap vps:

• Lenovo ThinkCentre m910Q Tiny PC i5-7500 3.4GHz 16GB 256gb SSD W10 pro desktop | eBay
• DELL OptiPlex 7040 Micro I5 6500 16GB 256GB SSD PC HDMI WIFI W10 PRO PC desktop | eBay

or go dumpster diving

I personally don’t see the point of self-hosting vaultwarden. What are you really gaining over just using bitwarden? You don’t trust their E2EE and think that you can host it better? I doubt it.

The biggest point about self-hosting Vaultwarden is that you are independent of Bitwarden itself.
For example if Bitwarden would go on and say “hey this and this feature is now paid” or “hey we raise the price from 1€ to 5€” you can easily say “okay, do it. I don’t care”
Because you host it your own.

In addition, it might be cheaper, if you already have the infrastructure to host a password manager securely.

but nothing stops them applying those same limitations to the self-hosted version, and not many people would go an maintain their own fork in the short-term before/if a community fork pops up

but nothing stops them applying those same limitations to the self-hosted version,

They already do, and the community just bypasses it in the code.

and not many people would go an maintain their own fork in the short-term before/if a community fork pops up

I’m not quite sure of how Vaultwarden is doing it. But since it is a complete rewrite of the Bitwarden backend in Rust and unlocked the locked features as well as introduced new features I assume they are capable of it.

But yeah that’s a good point.

That’s a big if. Sure if you have everything figured out then it would make sense, but not for a beginner. Redundancy is the biggest concern for me. If your hardware explodes next year then you’d lose all of your saved passwords in vaultwarden. Vaultwarden repo doesn’t do a good job of explaining this so if you’re a beginner you could be caught with your pants down.

Vaultwarden gives you the freedom to move away from Bitwarden if they start doing shitty things, but doing it now doesn’t make sense to me as Bitwarden has a good reputation.