Self hosting questions

I’d like to start to self host some services like PiHole, NextCloud, Gitea/Gitlab, etc.
Do any of you guys know a good beginner guide to help me with it? I read around many things (especially from r/selfhosted) but there are still things I don’t get. I’m particularly concerned with one thing, if I self host do I need to be “publicly exposed” to the Internet? If so, is that unsafe and not-privacy-friendly?
For example I read you have to use a service like FreeDNS, DuckDNS or Nsupdate.info to register a domain that points to your Dynamic changing IP, isn’t that privacy concerning, both because you’re “public” and because you have to trust that service? Maybe I’m not understanding it properly, any help would be appreciated.

1 Like

Welcome to the forum,

I have no idea on this as I have had so long experience and I don’t remember if I ever read those. I also haven’t tried to selfhost the services you mention, I tried Gitolite years ago though (I have no idea if it still exists).

Not necessarily, you can use a VPN (I mean a Virtual Private Network, not a service that you forward all your traffic through hiding your IP address from the destination server) or Tor onion services or I2P eepsites or possibly some self-contained network. I would use Yggdrasil (which is however experimental and your peers know who you are unless you use Tor or I2P peers) and Tor onion service as it’s nice to have SSH access with it if everything else fails.

A nice feature in onion services is that they also work through NATs (including CGN) and firewalls restricting incoming traffic assuming Tor isn’t blocked in your network.

https://2019.www.torproject.org/docs/onion-services.html.en

https://i2pd.readthedocs.io/en/latest/tutorials/http/

I couldn’t find the upstream I2P documentation on this, but I2Pd is lighter. I haven’t personally setup any Eepsites though, with Tor I can say it’s simple. With Yggdrasil you should use a firewall.

It’s the “default” situation where you aren’t using Tor or a VPN and it depends on your threat model and that is most of my internet usage. I do have a firewall, on Linux I tend to use ufw and on Windows the default firewall.

Your router should also include a firewall (even if it won’t help with the services I mentioned though with Tor and I2P you specify in the config which ports you want to expose to others).

Edit 2019-08-04: Linking to Discussion: Yggdrasil so people can see ideas on what Yggdrasil can be used for.

first, pihole need a machine not server so yeah or just get debian-linux VPS/server & you can just buy a VPS (a PC over Internet as i love to call it xD) & go to every project you wanna to host it & see it’s info & i got something for ya there is a app called sandstorm its like a collection of open source web apps manged in this big web app (if you confused see the website) so yeah you can start with it because you just install one thing & get a lot of popular tools & do not forget to host tor node!

EDIT: yeah your website will be over the net but to someone get into it he need the domain name or ip & about your ip or dns you can use noip (i mean its just ip & every website already see it so in noip the company will take it no one else) or just as i said use VPS

In general, keep in mind that security is much more than only configuring something once. Security is about technology, processes/organization, and people. You have to consider this in order to get more security.

Here are some basic tips for starters:

  1. Before starting, write down what you want to achieve by self-hosting: Which services do you need? Do you need these services anywhere or is it sufficient if they are available on your LAN only? Which operating system do you need? How do you get updates and are you able to quickly install any security updates? How do you want to access the server (e.g. VPN, SSH)? How do you back up your data and prevent data loss? How do you monitor your server to detect access attempts by bot nets and shady people? …
  2. Then, start to plan. Again, write something down.
  3. Then, set up your server. Install an operating system that is suited for servers. Install only packages that are really needed.
  4. Install a basic firewall and harden your SSH configuration (e.g. implement public-key authentication and 2FA: https://infosec-handbook.eu/blog/wss1-basic-hardening/). Configure these tools according to your plan.
  5. Install your services. Look for security hardening guides and, again, document any changes in configuration files.
  6. Set up monitoring software (basic tools are AIDE or rkhunter, but there are also many advanced tools).
  7. Check everything.
  8. Use your system.

During normal operation, you should at least regularly back up your data and configuration (after changes), monitor your server, and check its configuration from time to time.

There are more things to consider, of course. However, this should provide some basic guidance. Again, keep in mind that you need much more than only some configuration. Security needs care.

Edit:
We just released a new part of our web server security series to address this in detail: https://infosec-handbook.eu/blog/wss0-how-to-start/

2 Likes