58
Home Server Security (sh.itjust.works)

Hey guys,

Currently im just running calibre and nextcloud docker containers over the web, with a ddns from noip and a cloudflare domain. But i also want to setup a vaultwarden container too, so now i need to really consider the security of my server. What are the main things to watch out for? Calibre and nextcloud are just using subdomains, is it okay to have a subdomain to connect to vaultwarden? Am i better off just trusting bitwarden and sticking with them?

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[-] mspencer712@lemmy.fmhy.ml 10 points 1 year ago

Security is a tough thing to give advice about. Different people have different levels of risk tolerance. It’s embarrassing to give advice about one’s personal views - tedious to write - and then get replies about how that’s too much security, too little security, etc.

Attackers can use tricks to enumerate dns subdomains. They can compromise one container and pivot to the container host.

You can frustrate automated compromises by putting up roadblocks or speed bumps they have to get through before seeing the stock landing or login pages for well known apps. That can buy you a little time if a serious exploit is discovered and you know you won’t be on top of container updates. But stay on your container updates.

[-] beppi@sh.itjust.works 2 points 1 year ago

Im assuming youd recommend using something like watchtower then? Or would you say its better to just ssh in and docker pull every now and then?

[-] mspencer712@lemmy.fmhy.ml 2 points 1 year ago* (last edited 1 year ago)

I’m a bad one to get how-to advice from if you’re starting out. Not a fan of docker and I don’t know what watchtower is. I’m one of those electricity-wasting home labbers who loves ESXi, vlans, and /30 nets for each individual VM.

I’m also one of those who takes months to accomplish what someone competent can do in days. It’s taking me forever to get openldap, postfix, dovecot, and roundcube to all play nice. (Because I’m trying to “be like daddy” and mimic the security I see at work, I can’t follow normal walkthroughs, or just install an off the shelf container and make it someone else’s problem. But this way makes me read manuals and gain a deep, durable understanding of the technology. And it takes forever.)

[-] deepdive@lemmy.world 3 points 1 year ago

I wish It could be so simple for everyone... Docker is great when you have an old spare laptop and want to self host a few nice things: vaultwarden, traefik, searxng... Sure it's relatively new compared to VMs and is going to have some security flaws and reworks during the maturing process... But VMs had also their ups and downs long time ago before It got in a stable maturing state !

VM are nice but we (in my opinion) as human species need to find other solutions to get away from energy, rare metal hungry devices... something in between docker and VMs. But that's just my opinion.

Plus, docker and derivatives are also really interesting technologies where you have to read manuals and gain deep and durable knowledge to understand the future of virtualization.

[-] mspencer712@lemmy.fmhy.ml 3 points 1 year ago

Totally agree. I think you’ve picked up on an attitude problem I need to fix, as that is keeping me from embracing a really useful technology. You caught me admitting to a bias that I know isn’t always true.

this post was submitted on 17 Jul 2023
58 points (100.0% liked)

Selfhosted

39937 readers
403 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS