I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has “–net host”, although the containers can access host services because they have the option “–map-guest-addr” set, so I don’t know if this is any safer then “–net host”.

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don’t think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don’t really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

  • slug@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    20 days ago

    does anyone have an actual horror story about anything happening via an exposed web service? let’s set aside SSH

    • Possibly linux
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      20 days ago

      Counter question

      How would you know something went wrong? Do you monitor all the logs? Do you have alerting?

      What happens if one service has a serious vulnerability and is compromised? Would an adversary be able to do lateral movement? For that matter are you scanning/checking for vulnerabilities? Do you monitor security tracker?

      All of these are things to consider

    • linearchaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      20 days ago

      Yeah, a company got toasted because one of their admins was running Plex and had tautulli installed and opened to the outside figuring it was read-only and safe.

      Zero day bug in tat exposed his Plex token. They then used another vulnerability in Plex to remote code execute. He was self-hosting a GitHub copy of all the company’s code.

      • mint_tamas@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        20 days ago

        This guy was running a three year old version of Plex with a known (and later fixed RCE), and was working for LastPass.

    • miau@lemmy.sdf.orgOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      20 days ago

      Id like to know as well. I definetely dont want to be the first person of that story tough

      Ive heard of someone who exposed the docker management port on the internet and woke up to malware running on their server. But thats of course not the same as web services.

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        3
        ·
        20 days ago

        Once a server is compromised there are lots of uses. Everything from DDOS attacks to obscuring attacks against other targets. An attacker doesn’t want to be discovered so they likely will hide as much as they can.