Secure Your Self Hosting!
Only after beginning my career in cybersecurity did I start to learn how scary a place the internet is. It can only be described as it's own world. There are "safe" places, there are dangerous places. There are safe people, there are dangerous people. You can only survive the virtual world by being cautious and prepared - just like the real world. If you are interested in hearing about the 'dark side of the internet' please listen to the Darknet Diaries Podcast. It does have some very interesting stories, my current favourite is the Xbox Underground story (Ep.45 / Ep.46).
I will go over some basic ways to protect yourself while hosting on the internet. These tips will be great for general users too!
Stay Up To Date
The easiest tip to help protect yourself online is to stay up to date. Most exploits are done through outdated applications and operating systems. If you are notified there is an update out, all you have to do is simply hit update now. Easy peasy.
fail2ban
To describe fail2ban perfectly I will use their first paragraphs from the fail2ban wiki page:
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Using this application, you can literally block addresses that trigger log entries you do not like. As a personal example, when I was learning how to set up a multi domain web server I did not want any scanners to attempt to access anything. All the sites I had hosted were sub domains, so whenever there was a default log entry - period - I would block the IP address. I also set it up to block any request that was being sent to the IP address versus a domain address. This was a simple way to filter out a lot of bots before they would even hit my internal firewall.
Reverse Proxy
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself.[1] Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s).
In layman's terms, a game of broken telephone with curtains (without the message loss 🙃). Bill whispers to Alice, Alice whispers to Joe. Bill is the original sender, but the message to Joe is from Alice. All Joe gets is a whisper from Alice.
This is a common practice to hide your downstream services. For self hosters, this is used to protect your residential/business IP address. The public will be able to access a Virtual Private Server (VPS, more on that later) address and not be aware of your residential/business address.
Firewall
You can do what you want to hide your house, but if someone finds your house you want to protect it. A firewall is the metaphorical locks, doors and security on your house. It is amazing how much I have begun to respect this technology as I have transitioned my career from Application Development to Security Engineering. Firewalls do a lot more than just simply block traffic; my naive initial impression. As an example, they now go to the extent of using sandboxes to detonate files in a virtual environment, ensuring the file has no malicious content. Think about that again, firewalls utilizing mini-VMs to test run files. Crazy.
Commercial Options
Here are the big three:
You average self hoster most likely will not be purchasing a product from the companies listed above. That is fine, most self hosters also won't be targeted like some of the companies that use products from the above companies. I - fortunately - get to use one of these products for my home security, which, I also believe to be the most secure product on the market. Win-win for me. Fortunately, there are options for everyone!
Open Source Options
I am a huge fan of open source, read my post on freeing myself from Windows. There are great open source firewalls available to the public. Will these products offer the same level of security? That is debatable, but, I can guarantee you they will be better than nothing. So please, get yourself a firewall.
I would imagine that these would be the most popular open source firewalls on the internet. They are feature rich and deserve a look if you have no security set up and do not want to spend money.
Segregate Your Networks
Back to the tactics, segregate your networks to increase your security. This is a great way to limit the impact of a breach, especially in conjunction with a firewall. You can separate the web servers from the application or database servers for increase security by passing the requests through a firewall with another set of rules on the communication between those subnets. In the unfortunate event of a breach, you may be able to limit the attacker from obtaining anything of value. That sounds like a pretty good scenario for a breach.
ENCRYPTED VPN
A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running on a computing device, e.g., a laptop, desktop, smartphone, across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, though not an inherent, part of a VPN connection.
An encrypted VPN is a good method of transporting data from a cloud VPS to a self hosted location. This firstly encrypts your data as it is transferred through the workings of the world wide web and it secondly creates an easier to manage "local" connection for configuration. The two(+) machines will be treated as if they were on the same local area network. My VPN software of choice is Wireguard, as an alternative, many people choose to use OpenVPN.
VPS
A VPS runs its own copy of an operating system (OS), and customers may have superuser-level access to that operating system instance, so they can install almost any software that runs on that OS. For many purposes they are functionally equivalent to a dedicated physical server, and being software-defined, are able to be much more easily created and configured. They are priced much lower than an equivalent physical server. However, as they share the underlying physical hardware with other VPSes, performance may be lower, depending on the workload of any other executing virtual machines.
A Virtual Private Server, or VPS is essentially a virtual machine in the cloud. My suggestion would be to lock one of these down and turn it into your reverse proxy, or depending on what you are hosting you may want to jump off the self hosting boat and use a VPS. A small VPS is a great solution for hosting a web application. Linode is my VPS provider of choice, Digital Ocean is a fairly popular company. VPS services can start between $3-$5 USD per month and can be ramped up if and when required more processing power, RAM, storage, etc..
Security by Obscurity
This is my favourite security practice, just because it is fun. Change up ports, change up usernames. If you change your root user to Asdf987a9w8fu23423 and are connecting to SSH on port 1234 it does actually make your machine a little more secure. It adds additional barriers the attacker has to go through, they now have to find the SSH port and figure out what user to connect with.
This is a big issue for people that use defaults. Public service announcement, there are bots that skim the internet literally testing defaults. If you leave your default configuration and machine open to the internet it will only be a matter of time before someone gets in.
The Big Picture
Simple concept, the bigger you are the bigger target you are. You could open all your ports (DON'T) and if no one knows you exist (THEY WILL FIND YOU) you will never get hacked. Be responsible, do want you can to protect yourself, especially if you are self hosting. As a self hoster, you are not only risking yourself, but you are risking anyone else that uses your network. If you cannot take that weight on your shoulder just fork out the five bucks a month.
Self hosting is fun and a great learning experience especially if you are in relevant information technology field. Most of my technical knowledge has come from experience. If you do not have a job where you can gain this knowledge, how do you obtain it? Hint: It is using your own tech. These are the basics. If you use the above technologies, as a self hoster, you will most likely be ahead of many of your fellow self hosters.
This is a start. Continue to learn and grow your knowledge. I may lead you down some interesting paths, to interesting projects, to even a new career. The possibilities are endless. On top of it all, you own your own data. As a self hoster, your data lives at home! In today's age, I personally think that is significant. These are my views. This is my advice. If you feel like I am missing some important content or just want some general advice please feel free to contact me! You can email me or reach out to me another method. Happy Hosting!