I’m a software developer working in the telecam sector on security related products, so I know a fair bit about system security. Yet I wound secure my own system far less than most people here if I didn’t enjoy cybersecurity as a hobby.

I wonder what you are securing against? Some examples:

  • jellyfin: unless you have home videos on there, what does it matter if someone exfiltrates some movies? Surely you have basic DOS protection and/or region locking to reduce wasted network traffic, right?
  • linux: I assume nobody is using their servers as daily drive PCs, so what does it matter if somehow your system is superficially compromised. You can always reimage. Sure they could mine some bitcoin with your system, but it doesn’t have that much PSU headroom to cost you much on your bills, right?

It just seems like most attack vectors lead to mild annoyance at most for most systems.

Do you guys just enjoy cybersecurity? Do you actually keep sensitive data on your self hosted systems? Do you self-host on expensive hardware? What am I missing?

  • confusedpuppy@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 hours ago

    I’ve been trying to find a balance between what I currently own, what I can do with it and using as little outside resources to self host. I’m also cautious about what has access to the internet which limits what I host.

    I have two Raspberry Pi’s. One is only accessible through my home’s local network through my WiFi Extender network. That WiFi extender also helps hide my personal network from my ISP which see’s everything connected to the main modem/router. This Pi is strictly for my IoT devices.

    My other Pi is a web facing server. It has Caddy and Kiwix. It hosts a static blog, simple file server which servers my git repositories, some survival ebooks, plain text recipes and a bunch of programming related resources. Kiwix has a bunch of wikis, Wikipedia to survival stuff, vegetarianism, coding stuff and things surrounding those topics generally. I generally avoid anything that uses databases because I don’t have the energy to learn, maintain and protect that. Plus I have a focus on small, low powered minimalism.

    Those Pi’s both use Alpine Linux. I chose Alpine because it’s small and uses less common tools. doas over sudo, OpenRC over SystemD, and Musl over glibc. It’s a bit of security by obscurity but I’ve also made efforts to harden Alpine Linux itself too. I’ve disabled a lot of kernel modules, made strict firewall rules, and made sure to include the use of apparmor. I’ve also written all my backup solutions and maintenance scripts myself and tested as thoroughly as I am capable of. I also avoid complexity by keeping things as minimal as possible to reduce the surface area of any possible attacks.

    I use podman containers to keep everything in the userspace. Caddy is my reverse proxy which means only one port is freely accessible to the internet. I also use a wildcard cert to obscure my publicly available information and use an uncommon port instead of the standard 80/433 ports. Because of the wildcard cert/uncommon port, I receive no bot traffic so I don’t feel the need to use Cloudflare or Anubis. I’m hidden enough and the only people I want on my blog/file server/Kiwix wiki’s are close friends.

    For SSH, I’ve hidden all those behind WireGuard so the second open port to my web server looks hidden from scanners (at least that’s how I understand it). I used to use a custom port which only got about 15 hits a week from bots appearing from the Netherlands. That number has since dropped to zero after setting up WireGuard. I’m sure the bots are attempting but they aren’t making any appearances in my logs and that’s good enough for me.

    I’m happy more talk about security has been popping up lately. So many websites focus on getting things running and just don’t take any time to talk about security. I had to switch from docker to podman because docker had so much control over iptables that never got reported to ufw which was a concern for me. That point is rarely talked about since it’s so easy to copy and run a docker-compose.yml file.