This is a continuation of my other post
I now have homeassistant, immich, and authentik docker containers exposed to the open internet. Homeassistant has built in 2FA and authentik is being used as the authentication for immich which supports 2FA. I went ahead and blocked connections from every country except for my own via cloudlfare (I’m aware this does almost nothing but I feel better about it).
At the moment, if my machine became compromised, I wouldn’t know. How do I monitor these docker containers? What’s a good way to block IPs based on failed login attempts? Is there a tool that could alert me if my machine was compromised? Any recommendations?
EDIT: Oh, and if you have any recommendations for settings I should change in the cloudflare dashboard, that would be great too; there’s a ton of options in there and a lot of them are defaulted to “off”
By not making them publicly accessible. With Wireguard there’s really no reason.
Setup service to be active on a subnet, enable Wireguard to VPN into the subnet and use the services.
Yeah, I’m not gonna tell the 50 users of my plex server to set up wireguard on their devices so they can request movies and TV series on my overseer, when I can instead just use NPM to make it publically accessible with a password prompt
Your use case, and OPs, are completely different scenarios. I can’t tell if you’re being purposefully disingenuous or just flippantly stupid.
Well, that’s kinda of a personal choice. If somebody needs to have services accessible by someone else besides him, that service can’t be behind a VPN (let’s face the truth: we know that we can’t ask all out relatives and friends to use a VPN).
There’s also something to be said about some services being cordoned off in a VPN while leaving some public with security. I don’t necessarily want everyone within my full network if all I want is to share one service with them.
For that, you can restrict access to a single service with iptables.
This is effectively the same damn thing with a single exception. If your VPN is down, there’s no access to your server. If for whatever reason your firewall is down, there’s unrestricted access to your server…
VPN is unquestionably the correct choice 100 times out of 100.
I don’t know what kind of firewall you use, but if my firewall is down there is NO traffic at all passing through!
And by the way, since I’ve replied to someone that don’t want to use VPN because he doesn’t want to give access to the whole network, I meant that he could use a VPN AND iptables to restrict the guest access to single services instead of the whole network.
Only a hardware firewall would do this. If it’s software, like implied in your post, no traffic is filtered and all connections are accepted.
VPN is the least amount of work for the most secure setup. There’s nothing to even argue, its superior in every way.
Talking abut netfilter, since it manages also the forwardning, it for some strange reason it should crash, NO IP traffic is flowing
If there’s nothing to even argue, then I say goodby to you since I’m here to discuss. All the best!
Again, this is the reason VPNs exist. If that person needs access, then setup Wireguard…
It’s like saying you don’t need a front gate with an access code because then you would have to give out your own access code. But I mean, the lock has the ability to setup more access codes. And you’re saying the only viable option is the leave the gate open and hire a guard to manage access. It’s just… Weird and wrong.
What? What’s the difference between a VPS and your home server? You may say that’s a good practice to separate things, so maybe have a a VM with public facing services and another with more private stuff reachable only with a VPN. But for something like Nextcloud, it needs to be public (if you’re not the only one using it), but it contains personal stuff and then comes the OP request!
You’re missing the point. VPN isn’t about separating anything… I’m not even sure what you mean by that. VPN is the accepted practice here. Unquestionably. You create private services, and for security you only expose them to the least amount of people possible. You authenticate via VPN connections. You only have to maintain a single database of users to access any number of services, even tens of thousands.
OP is specifically talking about hosting local content that they want to protect. VPN is the solution here.
Well…if you edit your post after someone has replied to it at least specify what’s you’ve edited and don’t pretend that the answer that somebody else has already given you wasn’t about your non edited post!
If you (my mistake) wrote VPS instead of VPN, you can’t pretend that I’ve answered about VPN!
If you can convince your family member and your friends to use a VPN to use your service, that’s good for you, and I mean it!
But saying that it’s quite impossible to do that, I think that I’m speaking for 99% of the self hoster (is this correct in English? Bah, you got me!)
The entire point of selfhost is to host private services not available to the public. By literal definition, that’s allowing only local traffic to connect to your services. It’s infinitely more secure. A VPN allows you to extend those services over the clearnet to authorized devices via virtualized networks. You don’t have to worry about messing with inbound/outbound ports, or worrying about software failure or misconfigurations accidentally exposing you to the clearnet. You don’t have to worry about DDoS, or abuse. Being attacked? Bring down your VPN and that completely shuts down your issue. Your network is completely unreachable by anyone but a local host.
There’s simply no room for an argument. VPN is objectively better in all possible situations.
I’m with you about that.
As stated in the other post, I’m sorry about that, I’m here to discuss and learn, if you don’t have room for an argument, our discussion ends here.
Exactly! in all possible situation!!!
I agree with WG however I need https for a few locally hosted items like actual budget so I have that through nginx proxy manager. I was debating adding Authelia in front with some of my others (audiobook shelf, home assistant and music assistant) as sometimes I disconnect from my home network and forget to reconnect.
Why not swap from nginx-proxy-manager to Caddy2, which can handle everything? SSL and reverse_proxy?
Just out of curiosity, why do you disconnect from your home VPN?
There should be an option in your phone VPN setup to reconnect if app X is being used.
There is. It’s called VPN Split Tunneling.
If you want to proxify your connection between you and a service, you enable the split. If you don’t care, or want to not use the VPN, then disable it for that application. So it’s effectively “proxify all connections to this app,” which is the same as your use case.