I’m a software developer working in the telecam sector on security related products, so I know a fair bit about system security. Yet I wound secure my own system far less than most people here if I didn’t enjoy cybersecurity as a hobby.
I wonder what you are securing against? Some examples:
- jellyfin: unless you have home videos on there, what does it matter if someone exfiltrates some movies? Surely you have basic DOS protection and/or region locking to reduce wasted network traffic, right?
- linux: I assume nobody is using their servers as daily drive PCs, so what does it matter if somehow your system is superficially compromised. You can always reimage. Sure they could mine some bitcoin with your system, but it doesn’t have that much PSU headroom to cost you much on your bills, right?
It just seems like most attack vectors lead to mild annoyance at most for most systems.
Do you guys just enjoy cybersecurity? Do you actually keep sensitive data on your self hosted systems? Do you self-host on expensive hardware? What am I missing?
Do you actually keep sensitive data on your self hosted systems?
People self-host photos, documents, code, passwords, chats, and other sensitive stuff. Even Jellyfin in your example can get you into legal troubles if your pirated (or even legally obtained and ripped) content suddenly becomes public.
What am I missing?
That it’s 2026 and our lives are heavily digitalized. I’d understand this question in 2000 where you’d probably host a few html files and a counter-strike server, but come on.
I’ve been trying to find a balance between what I currently own, what I can do with it and using as little outside resources to self host. I’m also cautious about what has access to the internet which limits what I host.
I have two Raspberry Pi’s. One is only accessible through my home’s local network through my WiFi Extender network. That WiFi extender also helps hide my personal network from my ISP which see’s everything connected to the main modem/router. This Pi is strictly for my IoT devices.
My other Pi is a web facing server. It has Caddy and Kiwix. It hosts a static blog, simple file server which servers my git repositories, some survival ebooks, plain text recipes and a bunch of programming related resources. Kiwix has a bunch of wikis, Wikipedia to survival stuff, vegetarianism, coding stuff and things surrounding those topics generally. I generally avoid anything that uses databases because I don’t have the energy to learn, maintain and protect that. Plus I have a focus on small, low powered minimalism.
Those Pi’s both use Alpine Linux. I chose Alpine because it’s small and uses less common tools.
doasoversudo, OpenRC over SystemD, and Musl over glibc. It’s a bit of security by obscurity but I’ve also made efforts to harden Alpine Linux itself too. I’ve disabled a lot of kernel modules, made strict firewall rules, and made sure to include the use of apparmor. I’ve also written all my backup solutions and maintenance scripts myself and tested as thoroughly as I am capable of. I also avoid complexity by keeping things as minimal as possible to reduce the surface area of any possible attacks.I use
podmancontainers to keep everything in the userspace. Caddy is my reverse proxy which means only one port is freely accessible to the internet. I also use a wildcard cert to obscure my publicly available information and use an uncommon port instead of the standard 80/433 ports. Because of the wildcard cert/uncommon port, I receive no bot traffic so I don’t feel the need to use Cloudflare or Anubis. I’m hidden enough and the only people I want on my blog/file server/Kiwix wiki’s are close friends.For SSH, I’ve hidden all those behind WireGuard so the second open port to my web server looks hidden from scanners (at least that’s how I understand it). I used to use a custom port which only got about 15 hits a week from bots appearing from the Netherlands. That number has since dropped to zero after setting up WireGuard. I’m sure the bots are attempting but they aren’t making any appearances in my logs and that’s good enough for me.
I’m happy more talk about security has been popping up lately. So many websites focus on getting things running and just don’t take any time to talk about security. I had to switch from docker to podman because docker had so much control over
iptablesthat never got reported toufwwhich was a concern for me. That point is rarely talked about since it’s so easy to copy and run a docker-compose.yml file.Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System Git Popular version control system, primarily for code ISP Internet Service Provider IoT Internet of Things for device controllers Plex Brand of media server package SSH Secure Shell for remote terminal access VPN Virtual Private Network
7 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.
[Thread #43 for this comm, first seen 6th Jul 2026, 13:20] [FAQ] [Full list] [Contact] [Source code]
lambdabeta — tu pregunta sobre el “daño real” me hizo recordar el caso de un SaaS que lancé con logs abiertos por error. Detectamos 2000 intentos de inyección SQL en 12 horas, cero datos filtrados, pero los crawlers de Google Ads se comieron el presupuesto en CPC porque la página tardaba 5 segundos en responder. El ataque no era el objetivo, era el efecto colateral: costes ocultos en minutos. Si tu server no mueve dinero, el peor daño suele ser el tiempo perdido limpiando https://cxgo.ai/l/VnBgp1i .
From my perspective, self hosting is a hobby, we run services we feel we need, but it’s also something we do for fun. As such some people enjoy thinking about and deploying the most secure server possible, regardless of actual threats. However, to directly answer your question, yes there isn’t really a lot that can be stolen from a self host residential server, maybe if you hack a valutwarden instance and acquire all the credit card details stored in it and all the id’s stored in it. But the main hack isnt stealing, but deploying a bot net of some sort.
You’re a cyber security developer but don’t understand how a compromised device on your network compromises your entire local network?
Don’t mean to be rude but it seems like a basic principle.
This seems like a fishing expedition post.
Something’s fishy, that’s for sure. Im just not sure what.
The worst I had was a credential-stuffer bot that used a set of leaked credentials to get on my mail server and send spam. I changed the password within 5 minutes and it stopped. That was the end of it.
Once I had someone deface a website because wordpress wasn’t patched. I just restored the site from backup and moved on with life.
I would think that most of the time, you just join a botnet.
BUT someone getting into your email can let them do password resets to all your accounts. Then again, I self-host my email because all mail providers are reading your email by default. I’d still rather self-host it.
i don’t have any complex ‘webapp’ hosted on www. just static files and few simple cgi scripts. i keep my httpd and sshd up to date. that seems to be good enough
there’s nothing important on the server anyway, so i don’t have much to lose even if i get pwned
Nobody gives half a shit about my personal data or dick pics but I don’t want to contribute my bandwidth somebody’s botnet. No expensive hardware here, it’s all the old desktops that I’ve upgraded from but won’t throw out because they haven’t caught on fire yet.
Last part is only mostly true, one did catch on fire but is doing much better now.
My biggest concern is pivoting. Specific to Jellyfin, many users are using docker, but do not isolate the user so the daemon is operating as root. With that setup, an attacker could mount the host filesystem to the container and would own the host from that container.
Again, for the linux mention, the answer is pivoting. Many machines use Tailscale. If one of those machines were to be compromised using Tailscale’s default ACL, they would be able to move laterally through the network without issue. At that point, it would be possible to modify existing nodes (ex. subnet routers, exit nodes, etc) or even add additional rogue nodes.
The question of why people care is tricky. Why should you care if your networked printer is using out of date firmware? It likely isn’t storing personal information, right? It’s a prime target because it’s easy, poorly monitored, and opens another door. A lot of infosec is just keeping doors shut so other doors don’t get opened.
With that setup, an attacker could mount the host filesystem to the container and would own the host from that container.
Can you elaborate more on this? Assuming an attacker is in the Jellyfin container with full remote code execution, how could they mount the host filesystem?
It would depend on having access to misconfigured permissions or docker.sock like when you chain containers to manage other containers. Because you have access to docker.sock and that socket can send API calls to the docker daemon (which is run from root) those commands would inherit the same level of access. An attacker could make the API call to mount
/:/rootand then access the host filesystem.It’s just an example of how even though the container might not have anything worthwhile, it can be used to laterally move and open another door.
Got it. Access to docker.sock is definitely something to be wary of, or CAP_ADMIN, or access to certain host devices.
Worth mentioning though that Jellyfin usually has none of these.
Also worth mentioning that Linux recently has had two massive privilege escalation vulnerabilities that bypass system namespacing and thus also provide container escapes.
I wonder what you are securing against?
OK, you’re familiar with vulnerability scanners and port scanners right?
The threat model here isn’t really attackers specifically targeting your home network for any particular reason (unless you’re a LastPass engineer working remotely while running an exposed Plex server). They’re not looking for you, they’re looking for anything useful.
The threat model is attackers using scanning tools to discover vulnerable systems connected to the Internet. All they need from you is an active connection and a system that can store data, from which they can host malware files for distribution to other targets or conduct attacks or just run a cryptominer (if you’re lucky and they’re not very ambitious). They can find this by scanning for open ports and then running a vulernability scanner to figure out if there’s some exposed hardware that can be exploited.
An unsecured system is a hazard that could land you in jail when someone else starts using your device and network connection to commit crimes.
Now, as long as you’re behind a standard residential network service, and your ISP is in control of your gateway device, you’re relatively safe from this. Most ISPs will block any traffic like that very strictly. If your ISP is in control of your gateway device then they’re responsible for its behavior (demarcation matters).
But, most self-hosters run into limitations with their ISP blocking a lot of ports by default, because they want to access their personal server from outside their home, and so they take control by running their own gateway device or paying for a business connection which gives them complete control over which ports are open. This is where the risk comes in. You are assuming the responsibility for properly securing your connection to the public Internet, taking it off your ISP’s hands.
If you’re going to do this, you should know exactly which ports you have open to the outside and why, and a general idea of what traffic you expect to see on them when and how much. Monitor that traffic at your firewall. Every other port should be closed and your firewall (on your router, gateway device, or better yet a dedicated OPNSense firewall) should be configured to drop packets received by closed ports (“stealth” mode). You don’t want it to respond that those ports are blocked, you want it to appear to not be there at all.
Every other security implementation is a secondary concern for a home network. Yes you should patch your software regularly and you should practice deny-by-default and least-privilege as a matter of course, but you’re going to mitigate 90% of your risk by just not accepting incoming connections for anything you don’t need. Most vulnerable systems are discovered by automated scanning, so the less your system responds to external connections the better. If you’re going to worry about configuring, securing and patching one device, make it that front line firewall. And be very selective about which internally hosted services you expose externally.
nothing is exposed publicly except a VPN. no key, no service. (edit: firewall rules only activate on special request from an app on my phone. via software I wrote that polls specific values with specific signatures)
VPN drops you to a vlan that only has app access through reverse proxies.
all network traffic is monitored and alerted using graylog. same for system logs as well.
all alerts notify me directly. all WiFi is whitelist only.
why so strict? mostly because I’m paranoid. I had a stalker earlier in my life that made me fully appreciate privacy.
I’d be worried about lateral movement. Something like a XSS in jellyfin that gets them to my browser on my main computer, or otherwise leveraging the network proximity in anyway to spread to other machines with stuff I care about.
The biggest threats I am concerned with are:
- my liability and harm to my reputation resulting from unauthorized abuse of my systems
- consumption of my limited Internet access bandwidth and capacity
- corruption or loss of my systems and data
- theft and sale or other abuse of my private data
The first results mostly from the risk of my systems being incorporated into bot nets.
The second from bot nets and abusive crawlers.
The latter results mostly from ransom ware or open ended theft and exploitation of my data.
The threats are not all from the Internet. I saw an article recently about ‘smart’ TVs that are configured to be part of a web scraping infrastructure that the vendors sell as a service, in some cases configured to use up to 200GB per month of bandwidth.
Public-facing services need at least a minimum level of security protection. All of my services are protected by the reverse proxy Caddy, and Crowdsec protects my system and services from malicious bots. My Flirt 2’s firewall bans all malicious bots that Crowdsec discovers.







