Hi there, I’ve been reading up on selfhosting for a couple of weeks now and I got my feet wet with a couple of things.

However, before really getting serious with it, I feel I need to get down the basics and make sure that my server will not end up a security hazard. My final goal would be to self-host my socials (Mastodon, Lemmy, Matrix) - just for myself.

What basic security do I need to have in place, considering these services? I’ll be running this on a VPS and so far I consider the following: disable password login (login with ssh key only) then set up nginx, fail2ban, and a basic firewall. I’d try to close all ports that are not required for the services I run. I’ll also change ssh port from 22 to something else and close port 22 as well.

Would this be a sufficient basis, or am I missing something crucial?

Bonus question: do you know of good tutorials to learn the above stuff? I’ve been following the guides on DigitalOcean (e.g. https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-20-04) and they seem decent enough - but I think I’ll need to get into more depth than that :)

  • PlexSheep@feddit.de
    link
    fedilink
    arrow-up
    11
    arrow-down
    1
    ·
    1 year ago

    Agreed. Security through obscurity is a fallacy.

    If OP just wants to use it himself, a good idea might be to setup a VPN service and only allow the other services to be used from the VPN. That can be done with wire guard and a reverse proxy for example.

    • animist@lemmy.one
      link
      fedilink
      arrow-up
      6
      arrow-down
      3
      ·
      1 year ago

      While I do completely agree, changing ports is more about getting rid of low-hanging fruit so some script kiddie doesn’t get into 22. But again I do agree with everything you said.

      • Rikudou_Sage@lemmings.world
        link
        fedilink
        arrow-up
        3
        arrow-down
        2
        ·
        1 year ago

        Just firewall the port and there’s no difference for your hypothetical script kiddies. Don’t ever do security by obscurity.