Hey guys,

after reading up on selfhosting for weeks now I finally decided to take the plunge today and tried setting up my own nextcloud & jellyfin instances. For this purpose I am using a mini PC. (similiar to an Intel NUC)

Now I would like to make both services available to the internet so I could show images to friends while I’m at their place / watch movies with them.

The problem is I am currently not very educated on which security measures I would have to take to ensure that my server / mini PC doesn’t immediately become an easy target for a hacker, especially considering that I would host private photos on the nextcloud.

After googling around I feel like I find a lot of conflicting information as well as write-ups that I don’t fully grasp with my limited knowledge so if you guys have any general advice or even places to learn about all these concepts I would be absolutely delighted!

Thank you guys sooo much in advance for any and all help, the c/selfhosted community has been nothing but a great resource for me so far!!!

  • @vegetaaaaaaa
    link
    English
    41 year ago

    I serve HTTP 403 for all requests to the default vhost and log them, harvest IPs through a log aggregator (or just fail2ban) and tag them as bad bots/scanners, and eternal-ban them on all my hosts. Currently have 98451 addresses or networks in my ipset for these.

    For requests to actual domains, I ban after a few unsuccessful authentication attempts. A WAF is nice to have (tedious but fun to set up) - currently working on improving my Modsecurity setup.

    Other than that there is already good advice here:

    • keep OS/packages/installed services up-to-date
    • only run software from trusted (ideally signed) sources
    • use host and network-based firewalls
    • use strong encryption and authentication everywhere
    • only expose what is absolutely required
    • implement good privilege separation (even dedicated users for each app/service, proper file ownership/permissions goes a long way)
    • run scanners to detect possible misconfigurations/hardening measures (systemd-analyze security was mentioned, I also like lynis and debsecan)
    • set up proper logging/monitoring alerting