How do you securely self-host a server?

I prefer to run Ubuntu machines and at least in terms of provisioning a new secure server I built an Ansible playbook I called 'ANU' (as in A New Ubuntu). I'd expand to other distros, but then I'd have to change the name!

https://github.com/MitchellCash/ansible-anu

It is based on the DevSec OS/SSH hardening playbooks, but I lean closer towards ease-of-use over security where I think it makes sense. For example, I disable forced password rotation and I keep the default umask value of '022' instead of the more secure '027'.

When I come across something the upstream playbooks change that "gets in my way", I will disable it if the security trade off makes sense for me. I'm not running highly sensitive systems, so these trade-offs make sense for me, and maybe they will for you as well!

In terms of ongoing security upkeep, I run the usual `apt update && apt dist-upgrade` when I can, but I’ll be keeping my eye on this thread for additional advice.

Although you didn't state your OS, I'm going to assume we're talking about Linux. As others mentioned, reading hardening guides is a first step. Those will tell you how to avoid the most common configuration footguns and reduce attack surface.

Obviously a good firewall (ufw suffices) is a must. Using a reverse proxy web server back to your web apps (I prefer nginx, but caddy is also another good one). In your reverse proxy web server, also setting up web application firewall config to flag suspicious things (for example, anyone going to a URL with `../` or `/etc/passwd` is clearly up to no good, as is a user-agent that's a known scraping tool). In particular, I like using the custom HTTP 444 response code with nginx, so I can instantly flag the worst offenders.

Then, use fail2ban to blacklist hosts that are up to no good. If you can create a regex for something in a logfile, you can automatically ban almost anything. However, fail2ban is a very powerful footgun, and if misconfigured you can easily ban yourself from your own server! However, fail2ban is probably the best hardening tool, since you greatly reduce the number of tries that someone has to exploit something, and severely slow them down.

Finally, regular monitoring and patching. I swear by check_mk for monitoring, so I can see every suspicious query that's coming through, and instantly identify most ongoing attacks. Fail2ban takes care of 99% of the work if it's configured correctly, but the worst attacks are the ones that you don't know are happening.

I've been self-hosting most of the webapps I depend on for almost 10 years now, and I can say that self-hosting is extremely fun, but does require a a decent time commitment to maintain your infrastructure. However, if you are willing to invest time in automation with some basic shell scripting, you can get this down to less than an hour per week, which is mainly just checking your monitoring console and scheduled jobs.

If this sounds too daunting but you still want to go this route, check out yunohost: https://yunohost.org/#/

I’m building a product that tries to make this easy at https://pibox.io - but “secure” is a vague and tall goal post - although we cover things like service updates, firewalls, and abuse monitoring. Planning on a proper HN launch post soon!

Broken down into a few topics:

- Basics

https://www.freebsd.org/cgi/man.cgi?security

- Baseline Hardening

https://github.com/uxtely/ops-utils/tree/main/location-serve...

- Networking (Firewall, Jails/Containers)

https://blog.uidrafter.com/freebsd-jails-network-setup

Don’t plug in the ethernet cable ever and encase in 12ft concrete + faraday cage. You can install a window for viewing your files securely

Look at previous hacks. Un-patched packages and services, bad passwords, unexpected privileges.

Only allow in the service port to minimize your attack surface. Automatic security updates. WAF if you can. Cloudflare has a free tier with WAF. Maybe deploy a SIEM so you can alert on unexpected behavior.

Pretty much anything is vulnerable to a zero day exploit of some form or another. If you have data you wish to publish, or data that you wish to ingest in one direction only, a data diode might be helpful.

In this case, you manage the outside server, hardening it as best you can, and set up monitoring of bandwidth use, etc. through a network switch, etc.

The data diode will only pass data in your preferred direction, and can't leak it in the reverse direction.

In the case of inbound data only, you are protected against any data egress.

In the case of output data only, you are protected against ingress of control. You still have to watch for exploits pushing data out through the diode, but you can be sure any hack won't have been sourced from the internet.

Your security objectives are important if you are hoping to make any meaningful progress.

Are you concerned about DDOS? If yes, then don't self-host or use CF Tunnels.

Are you concerned about someone hacking your site with a buffer overflow? If yes, then make sure you patch frequently.

Are you concerned about someone hacking your site with any variant of a 0-day? If yes, then you need to air-gap and/or not use a computer at all.

Are you concerned about crappy business logic letting a bad session in? If yes, then you are in the wrong rabbit hole. You should be fixing your software until it provides the necessary degree of confidence. This has nothing to do with the server or hosting.

I don't think any of the above are modulated by self-hosting vs AWS hosting.

Most of the people doing this are on a LAN with a commodity firewall (modem/router combo)

I think their security posture mainly stems from being isolated in this way.

I've seen enough questionable suggestions like disabling the host firewall/SELinux that I doubt there are many layers to their security onion.

To be fair, I do rely on the network gateway too. It's pretty much all on my LAN, on a separate VLAN.

Additionally... most of my services are on a 'mesh' style VPN called Nebula. This lets the things I really need to access outside of home work while not being quite as exposed.

It requires lots of knowledge and elbow grease. Your security concerns also greatly depend on what services you plan to make publicly available.

The most important basic groundwork is proper firewall setup and network segmentation. Your personal LAN should not be directly routable from your public services. Also ensure that security updates are applied ASAP. Start learning about hypervisors and proper VM orchestration.

The best way to get started IMO is via a hybrid approach. Use cloud resources where appropriate to supplement your local infrastructure.

- Apply the principle of least privilege everywhere

- Apply security patches regularly

- Setup automated backups of important data

Following these three points puts you ahead of 90% of servers out there.

Install only software that you use and prefer minimal installations. (Debian has good defaults) Then you can install the unattended-upgrades package and when using ssh don't setup a password but use ssh keys. Also ufw needs to be enabled and then you can use nmap to scan for open tcp and udp ports. (Of course it's also possible to filter outgoing connections, by default only the package servers need to be accessed)

If you install services like email or http prefer software with a small footprint and with few CVEs in the past. Since http services are quite common, it's advisable to put a reverse proxy in front. Separate users for separate services is also a good idea.

Never had any issues with that kind of setup. Of course it's possible to add additional hardening like using an ssh jump host or a VPN to access ssh. (Probably advisable if you plan to put private data on it) Also using SELinux is an option, Fedora has it by default.

Does anyone have a link to a good server hardening guide that they can share here? Specifically and especially when running servers locally, or on things like AWS or DigitalOcean.

So many guides online, and the uninitiated can rarely differentiate between a good one and an outdated one. I’ve used a good one in the past but can’t think of it right now.

As far as DDOS protection goes, I'd like some tips there. Also, a question - if I have a 1Gbps home connection am I strictly screwed if someone is sending a little more than 1Gbps to me UDP-wise? It's the kind of question that seems simple but I've never been able to make my own simple answer.

Reading this topic has made me realize I don't even have a very solid image of what a "server" would be in this case. Is it a machine running an OS? A specific program listening on a port?

Does anyone have any recommendations for "Setting up a server 101" that could help shed some light on this?

Thanks!

Depending on what you're interested in, try this out!

https://discuss.pomerium.com/t/this-little-nas-that-could/80

I appreciate everyone dropping in with comments and advice on how to do this. My basic takeaway from this is that it is absolutely not worth doing for the average person. I might give it a go though just to see if I enjoy it as a hobby.

Follow the common security practices (ssh only login, firewall, etc.), only install trusted programs and don't worry if you get "hacked"; make sure you monitor your server and have backups if it happens.

My approach so far is just run tailscale (or some other VPN) and dont serve stuff on the public internet.

Your response is typical of what happens when regular people ask this question - see an insane number of suggestions and best-practices and promptly give up.. The amount you invest in security should be proportional to the consequences you incur in case of a breach. For someone just starting out, don't put anything too sensitive on the server, do the simplest security steps you know how to do and get started. You can scale up the security to insane paranoid nation state levels if/when the consequence of a breach is bad enough to warrant it.

don't host anything crypto related, setup ssh with public key auth using a strong passphrase, restrict access via vpn / only expose the required ports via firewall, ensure your services don't report version numbers to avoid fingerprinting, be cognizant of the software running on the box so if/when the next log4j happens, you're able to react accordingly.

Ask yourself: Does it need to be in the cloud, always available?

If not, then your problem may be eased via solutions that can give you better peace of mind.

Run the cis benchmark tool.

You have to start with: What is secure?