I just spun up a private instance of lemmy on the cheapest Linode. So far so good.

I used the ansible method of installing the instance on the default Debian 11 image from Linode (link below).

I feel a bit worried that there are no firewall instructions in the install documents. And no notes on securing your instance.

Any thoughts on how to set up ufw for a lemmy instance? Or thoughts on other security tips?

https://github.com/LemmyNet/lemmy-ansible

  • @[email protected]
    link
    fedilink
    English
    51 year ago

    To piggyback on other comments, a firewall only stops access to services you don’t want people to access.

    Presumably you WANT people to access your Lemmy install, so a firewall doesn’t really offer any added protection.

    If there’s an exploit in Lemmy, you might get bit, sure. It’s always a case of maintaining good backups, having a response plan in place and taking mitigation steps - patch the underlying OS, subscribe to release and security notifications so you know when an update or issue is found, and have a plan to either rapidly patch or disable services until you can patch them.

    If you want to dive into more depth, there’s an awful lot of tooling from fail2ban to Crowdsec’s offerings to a whole slew of SIEM options you could implement to monitor traffic to your host to identify and take action on suspicious and/or outright malicious traffic, but that’s going to have to be a case of you deciding how much risk is okay and how much time you want to invest in mitigating.

    It’s one of those 10% of the time can solve 90% of problems thing, so if it’s just a case of ‘well if something happens I’d be annoyed’ it’s maybe not worth investing a huge amount of time beyond updates and basic monitoring.

    • @[email protected]OP
      link
      fedilink
      English
      31 year ago

      Great perspective. Thanks. I am running a different production web server with fail2ban, knock and other mitigation strategies in place. In the case of lemmy Linode does automatic backups. I’ll have a think about how much work I want to put into this. A hack or crash would mostly be an annoyance.