I’m a software developer working in the telecam sector on security related products, so I know a fair bit about system security. Yet I wound secure my own system far less than most people here if I didn’t enjoy cybersecurity as a hobby.
I wonder what you are securing against? Some examples:
- jellyfin: unless you have home videos on there, what does it matter if someone exfiltrates some movies? Surely you have basic DOS protection and/or region locking to reduce wasted network traffic, right?
- linux: I assume nobody is using their servers as daily drive PCs, so what does it matter if somehow your system is superficially compromised. You can always reimage. Sure they could mine some bitcoin with your system, but it doesn’t have that much PSU headroom to cost you much on your bills, right?
It just seems like most attack vectors lead to mild annoyance at most for most systems.
Do you guys just enjoy cybersecurity? Do you actually keep sensitive data on your self hosted systems? Do you self-host on expensive hardware? What am I missing?


OK, you’re familiar with vulnerability scanners and port scanners right?
The threat model here isn’t really attackers specifically targeting your home network for any particular reason (unless you’re a LastPass engineer working remotely while running an exposed Plex server). They’re not looking for you, they’re looking for anything useful.
The threat model is attackers using scanning tools to discover vulnerable systems connected to the Internet. All they need from you is an active connection and a system that can store data, from which they can host malware files for distribution to other targets or conduct attacks or just run a cryptominer (if you’re lucky and they’re not very ambitious). They can find this by scanning for open ports and then running a vulernability scanner to figure out if there’s some exposed hardware that can be exploited.
An unsecured system is a hazard that could land you in jail when someone else starts using your device and network connection to commit crimes.
Now, as long as you’re behind a standard residential network service, and your ISP is in control of your gateway device, you’re relatively safe from this. Most ISPs will block any traffic like that very strictly. If your ISP is in control of your gateway device then they’re responsible for its behavior (demarcation matters).
But, most self-hosters run into limitations with their ISP blocking a lot of ports by default, because they want to access their personal server from outside their home, and so they take control by running their own gateway device or paying for a business connection which gives them complete control over which ports are open. This is where the risk comes in. You are assuming the responsibility for properly securing your connection to the public Internet, taking it off your ISP’s hands.
If you’re going to do this, you should know exactly which ports you have open to the outside and why, and a general idea of what traffic you expect to see on them when and how much. Monitor that traffic at your firewall. Every other port should be closed and your firewall (on your router, gateway device, or better yet a dedicated OPNSense firewall) should be configured to drop packets received by closed ports (“stealth” mode). You don’t want it to respond that those ports are blocked, you want it to appear to not be there at all.
Every other security implementation is a secondary concern for a home network. Yes you should patch your software regularly and you should practice deny-by-default and least-privilege as a matter of course, but you’re going to mitigate 90% of your risk by just not accepting incoming connections for anything you don’t need. Most vulnerable systems are discovered by automated scanning, so the less your system responds to external connections the better. If you’re going to worry about configuring, securing and patching one device, make it that front line firewall. And be very selective about which internally hosted services you expose externally.