Selfhosted

50711 readers

631 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

The first publicly open instance (lemmy.world)

submitted 22 hours ago by Kkk2237pl@lemmy.world to c/selfhosted@lemmy.world

28 comments fedilink hide all child comments

I want to start with self hosting something available from internet. Currently I have jellyfin, nas etc but everything is available in local network.

My biggest concern is securing local network. I thought i will run application on separate server, I will use small vps as proxy, but Im not sure if it will be enough

you are viewing a single comment's thread
view the rest of the comments

[–] Kkk2237pl@lemmy.world 2 points 16 hours ago (1 children)

Yeah, but if my server is in the local network, I have potential threat that someone will access my lan through public server

[–] irmadlad@lemmy.world 3 points 16 hours ago

Well, you could do network segmentation:

Put the server in a DMZ or separate VLAN if your router supports it. This isolates it from your main devices (computers, phones, IoT). I'm not sure what router you have buy many consumer routers have a "guest network" that can serve this purpose.

Utilize UFW rules. Mine are:

sudo ufw default deny incoming
sudo ufw default allow outgoing
Anywhere ALLOW IN 192.168.1.0/24
22 ALLOW IN 192.168.1.0/24
22 on tailscale0 ALLOW IN Anywhere
22 (v6) on tailscale0 ALLOW IN Anywhere (v6)

Also:

sudo ufw allow out to 1.0.0.1 port 53 # DNS only
sudo ufw allow out to 1.1.1.1 port 53
sudo ufw deny out to 192.168.1.0/24 # Block LAN access except admin

So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.