this post was submitted on 08 Sep 2024
84 points (96.7% liked)

Selfhosted

40693 readers
790 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From


22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person 3 points 3 months ago* (last edited 3 months ago) (3 children)

You cant. You can only do your best to make it as secure as possible, but given enough time, someone can break it.

Basic tips:

  • don't run any services on their defaults ports
  • don't allow password auth for any exposed service. Ever.
  • run intrusion detection (fail2ban for simple ssh / Crowdsec for something a little beefier)

For ssh specifically, lock down your sshd config, make sure only key-based auth is enabled, and maybe as an extra step, create a dedicated user, and jail it by only allowing it access for the commands you need to interact with.

[–] novalex 1 points 3 months ago (2 children)
[–] just_another_person 1 points 3 months ago* (last edited 3 months ago) (1 children)

Not sure I can expand on it a ton more in a way that will make sense if it already doesn't sound familiar.

Basically, there are various methods to authenticate yourself to most services. Password is usually the weakest and most succeptible to brute-force and social engineering. There's certificates, key pairs, RBAC...etc. You can even setup TOTP/MFA really easily for anything that supports it these days. Just don't leave a service hanging out on the Internet to get brute-forced by password though.

If you're unfamiliar with this, start with SSH and key pairs. It's probably the simplest intro and you can be up and running to try it out in seconds.

[–] novalex 1 points 3 months ago

Got it, I’m aware password auth can be brute forced, sadly many services don’t support more advanced auth methods so I’ve got a couple homelab apps that can only do password auth. I’m using very strong passwords and 2FA where available, and have been looking into an SSO solution like Authentik, but again not all services are supported.