bro i actually dealt with the smae topic for weeks now and you forgot network segmentation using vlans, iptables or ebpf. also zero trust access instead of ssh is missing
Sorry to disturb you, but could you help me figure this out? I’ve got USDT TRX20 stored in my OKX wallet with the recovery phrase (clean party soccer advance audit clean evil finish tonight involve whip action). How do I send it to OKX?
Security professional here. Thanks for making this video! I'll be recommending folks view this video. You've described everything I suggest folks with home-labs do. The only minor disagreement I have is with setting up the proxy authentication after everything else is working. Set it up from the start and apply it to all services behind the proxy. You're in a much better spot if everything on your home-lab requires authentication on the proxy. Even if it means logging-in twice (to the proxy and the back-end service). This drastically lowers the attack surface. You can later exclude any services you'd like to remain public. Also, use some type of split DNS; where you serve the internal IP of the proxy to all internal clients. That way you can skip the hop to Cloudflare internally. And you can still access all your home-lab services if your internet connection goes out.
Good idea with internal DNS, it fixed my problem with all my selfhosted apps being routed through my slow 10mbps upload speed via cloudflare. I even get SSL still when using local dns for routing my domain to my server's local IP
Hi there, could you please assist me with my issue? my OKX wallet holds USDT TRX20, and my recovery phrase is (clean party soccer advance audit clean evil finish tonight involve whip action). Can you explain how to move it to OKX?
You should make a video of home lab hosting from square 0 if you were to start from nothing (or start over) and how to set it up. Episode one: bare necessary hardware and how to set up Vlans. Episode two set up server (old pc), setup docker, and setup backups. Etc
I don’t think you need VLANs on your homelab. You have L3 switches and huge variety of internal networks, so, you can just use port isolation. It’s good for learning, but if your case is not learning or you want just to make it done with less configuring, you can skip VLANs and lose nothing.
Are we not gonna talk about the awesome illustration using those stickers or cardboard!, this video is amazing end to end, awesome visuals, clear, cuts to the chase. I really like this and have enjoyed every bit. Would be awesome if you can showcase the process of setting some of these stuff you mentioned in separate videos. Would love to see that and again awesome job 🙏
Would actually appreciate if Linode would sponsor a series on your channel with topics of your choosing that compare and contrast and shows how to run services remotely for distributed friends and family
I would so much rather listen to Linode tutorials from Tim rather than the guy they seem to have buddied with currently who spends a 20 minute video giving you the first 3 sentences of a man page.
As a tenured engineer (over 10 years in networking, security, and more) this was video was a fairly comprehensive guide to the extent of touching on different layers of protection for self-hosted solutions. Major kudos and for sure a sub from me. I'd say the only "aspect" missing is the time to do all this, aside from your job (if you have one). This has been the biggest thing for me. I host things internally, just not exposed to the Internet.
I'm a sysadmin specializing in security and I block countries at work. It saved us a ton from exploit scans and from attempted exploits that we've previously patched. Our firewall can detect and block exploits and there is tons coming from a handful of countries. Also, it may have also saved us from being exploited on one occasion when an exploit attempt came from Russia going to an unpatched Pulse VPN appliance. There is a possibility that other measures would have caught it as well, but it was an excellent first layer of security in this instance. I highly recommend blocking Countries. I highly recommend blocking Russia, China, Ukraine, Crimea, and North Korea. You are correct that most attacks that I see originate from the US, so a layered security model is important but this one rules kills about 60% of all exploit and exploit scanning activity.
Blocking countries can be a terrible idea in some instances so it would be case by case. Where I work, we can’t. You end up blocking edge locations and CDNs. Not to mention our clients customers. Usually I can only block middle eastern countries.
You have no idea how much knowledge I gained from this video/tutorial. I have watched a few of your videos including the "Put SSL on everything" but this was by far my favorite. Appreciate the effort that went into this. Subbed
I'm starting my journey into the world of servers with my first homelab and I've already watched this video a thousand times. Amazing content! It's very difficult to find accessible documentation that helps you understand why each step is necessary. I'm not a computer layman, but it's very difficult to get all the pieces to work together with the certainty that I'm not doing anything crazy. Thank you very much for the video, my friend!
Love it Tim! Although you say it is for a home lab, your excellent account, and all the great comments elaborating on it, will be an inspiration to improve the setup at my workplace. Thank you from a Dutchman!!
Your video quality just keeps on improving. I really enjoy your work and you do a great job representing the self hosting community with a lot of polish and enthusiasm.
I am windows system engineer and I have been thinking about self hosted services for sometime now (around 2 years) somehow your video motivated me to start I have just started with the hardware and I am using your videos as a guide and inspiration and ideas to achieve what I want. Keep up the good work and the nice ideas
This video was amazing! Having the big picture (the visuals were perfect!) helps pull all these concepts together. I've watched a lot of videos of the self hosted pieces but without understanding how they fit together and the why, I felt lost.
Great video, thanks! The production value is also really nice, it's obvious you're making great progress and you are by far my favorite homelab/tech youtuber. It's easy to recommand such a great channel. Thank you for everything you're doing and I hope to see many more of your content.
Cool video! Using pictograms makes it so easy to visualize :) For containers, running them with the least privileges possible (preventing privilege escalation), using specialized socket proxies for the services needing it (ie Traefik, Watchtower, Portainer...) and segmenting their networks to the lowest possible level is also a good idea
Happy to see you doing a security video, I just got my domain setup with cloud flare.. really cool to see that I can host public services without exposing my public IP.
Dude I'm learning so much from your videos! I got wireguard up and running recently and have only been hiding behind that, but this video is an awesome roadmap for me to up my selfhosting game. Def earned my sub, looking forward to learning more from you
Great overview. To summarize home lab architecture this thoroughly in 18 minutes is downright impressive! I would just suggest adding a quick comment or addendum to the guide somewhere that Cloudflare proxies alone can't be depended on for blocking external attacks, even with IP allow lists. You'll also need to setup MTLS, otherwise another Cloudflare account could proxy malicious traffic to your account through to your servers.
That can probably be extended to include interesting features, for example if we put all IoT devices in a separate network, they should still be able to access Internet and be available from our trusted devices (phones), but should not have access (initiate connections) to our trusted devices.
@@vaddimka use rules / patterns like this. This is quite easy with Mikrotik routers. If source = IoT vlan & destination = phone vlan, then drop connection. Swop it around like this: If source = phone vlan & destination = IoT vlan, then allow.
Great video as always! Your concise, easy to follow and straight to the point videos are at this point kind of therapeutic to me! Like a few others have already suggested, I would also like to suggest making this video the start of a series of other videos, each of which goes into the actual set up of the main steps mentioned in this video. It would ultimately make for a very nice play list on home-labbing best security practices, and how tos!
Really helpful in terms of networking, however I missed a bit of endpoint hardening, configuring the OS firewall, hardening docker, kernel hardening, file permissions, etc. Although its kind of a rabbit hole to get into that lol
Excellent video Tim, you covered quite a bit. One thing i might add (which would fall into permissions) is to make sure UNC (known as backdooring) is turned off. This makes it harder for an attacker to easily spread ransomware/malware throughout your network.
Didn't realise that I should do conditional port forwarding. Just got Cloudflare's IP ranges added to my router. Excellent. Now to learn about VLANs as that's really the only other thing I don't have configured. Cheers Techno Tim!
Thanks for this detailed and wonderfully illustrated explanation. Before coming across your video, I had read and watched many guides on self hosting that were not very clear on security steps (if they mentioned security at all). Your video is a gem of a resource!
Thanks for another great video.m!! Your first advice is great: just don’t open up your home. As a non-professional have learned this the hard way a couple of years ago. Thanks for not forgetting to put in that advice!
@@alexitanguay Putting a server online while having forgotten having set up a test account called test with password test - it is one of those things that gets your ISP connection suspended until you explained your error after finding it in the first place. If you're not a professional in the field you are bound to do silly things like that.
This is sooo good!! Many years wondering what I would need to do to self-host stuff without putting myself at risk and you just told me everything in less than 20 minutes. Thanks a lot!!!
I've watched this so many times - but I keep coming back to it when I need to check over my security measures and see if there's something I need to change/implement. Best security video for self-hosting!!
I really wish that there was a "latest-stable" tag like how there are LTS versions of operating systems. This way you could have a patching cycle that just checks for and applies the latest stable patch.
These are really great advices that you learn even in CCNA, so, good stuff. But the aspect of the host itself, about containers, os, virtualization, and updates it's something you don't see teached around often. Probably because is a market that's always changing, but it would be great to have an in-depth video about this part!
I would add to this that you can make use of Qualys (self hosted) in order to scan for vulnerabilities in your Home lab. They have a free version for up to 16 devices !
Once more a great video and another excellent source of inspiration. Totally love the little paper icons. You are good dude! I have to say that your channel has become my favorite one when it comes to IT related content. I am surprise that you haven't got more than 1 million subscribers considering the quality of your videos. It will be soon I am sure. This video comes just when I was considering rehosting some customers websites, perfect timing.
@@TechnoTim Hello Tim. Thank you for your kind message. In case you are reading this, I believe you would be the perfect person to do a tutorial on how to setup IPV6 with Docker. I have been struggling for the last week with this on my infrastructure. Proxmox in bridge mode with a /24 subnet from my ISP, Docker swarm on KVMs and PFSense on bare metal. I am trying to implement a vanilla IPV6 config with DHCPv6 on PFSense. Totally insane that I could not find a proper recipe to do this. The docker gateway behavior makes the whole access to containers particularly weird. In case you have some knowledge on this type of setup, it would be a great material to add to your collection. Take care !
Great video - if I was to host at home, I would add a second router behind my first router/firewall - so I have somehting like a DMZ - or go the VLAN path...
The Cloudflare setup can also be done with Cloudlfare tunnels from their zero-trust product. The dashboard can be a bit confusing. The advantage is, it doesnt rely on router and port forwarding configurations. This also means, the server is somewhat portable and can be deploy fast at a different location in another network.
Any chance of a tour of how your network is laid out? From the modem to your servers? Maybe a how to of how you have your stuff setup? Perhaps a video series/playlist? I would like to redo my home lab to do a better job of segmenting things out.
@@TechnoTim it would be amazing to see a similar video for securing a cloud vps for self hosted applications. A lot more people now are leveraging the likes of Linode or DigitalOcean, but wish to retain privacy and security.
Thank you very much 🙏 I had no idea on how to secure my home server, without putting my family at riskt 😅 This Video gave me a good idea on what I had to do and look for ❤
I think that for some odd reason SSH Bastion Hosts are strangely overlooked idea on the self-hosted environments. Servers on DMZ (behind the firewall on their own logical network, isolated from rest of the end devices) + Securely hardened Bastion host for server management access limits the attack surface to minimal as possible. Same goes to any intermediary device management portals etc...
this is great guideline for start self hosting security. If you need some kind of inspiration for the video, you might split this one into few yt videos and describe each section in details, giving some basic explanation for newbies on each topic, maybe using more examples and advices, or even setting this kind of server hosting from scratch giving examples on options within each layer of security. I've got this idea watching this section: 9:32, so it may be good starting point
This really comes down to the use case, some times integrating 3rd party services by them self could actually cause more damage than setting up everything local only.
Great to see cloudflare getting recognition. There are only a handful of videos that I've seen that stick to using cloudflare for firewall. They may sell data, and had an outage recently but for a inexpensive firewall, dns record management, and more, I recommend them. Been using them for almost two years now.
What would change if I config my server into DMZ instead of port-forwarding it (in the modem/router)? I know that the DMZ opens all the ports available for one machine, but it’s isolated from the rest of the network, does it make it more safer?
Thank you for your honest feedback! I questioned it from the start. Just uploaded a new and improved one, refresh to see it! Thank you for your honesty! This helps!
@@TechnoTim I really rarely comment, and I was a little direct haah, but I loved the video so much that it really deserves to reach the most people and the new thumbnail I find it great! more colorful it catches the eye 😊👌
Great video, thought it should be pointed out that it is possible to allow a group of ingress IP's within UniFi by creating a firewall rule and apply it before predefined rules. The action should accept, then create an IP and port group for the source (this will be the cloudflare IPs that you created a rule per IP block for) and the destination should then be the machine to forward to. This does require 1 (ONE) port forward rule setup the way that you have setup, and then exclude the ingress IP used in the port forward from the cloudflare group. It's a bit of a hacky solution but it works.
An additional method of protection I use when it comes to Cloudflare is ASN blocking. I've spent a lot of time collecting a lot of webhost and VPN providers network ASNs to effectively block a lot of potential bad traffic. I find this blocks A LOT of "bad actors" especially when attackers often rent multiple IPs from the same host. Simply blocking the hosts ASN will effectively block every possible IP that hosting provider owns, without necessarily having to block IP ranges themselves.
Re: USG repetition... You can automate all Unifi USG via Ansible. Even learning Ansible for a simple connection and a quick loop to set all of those forwarding rules is a great way to quickly pickup and learn Ansible for a small simple task.
Your the man Tim. 1. I like the hat. Maybe the ladies like those foofie locks... But not me. 2a. Those illustrations were awesome. (seriously) 2b. The humor and creativity are fantastic 2c. But you have to understand it does open you up for some trouble. You color those yourself? 😉 (I actually kinda wanna know) 3. This was a great overview. This is exactly what I am wanting, and exactly the path I would love to head down. If you would walk through this step-by-step it would be fantastic. IMO Thanks again! I'm a noob... But this noobs a big fan, thanks!
I really gotta get my IOT devices on thier own vlan, I went down that route a while back and broke all the mobile functionality.. Im sure its something on my part.
7:32 latest can also have breaking changes if it starts pointing to a major version release and may need hands on involvement from you. Already had this happen once and that will be the last time because I went ahead and changed all my containers to refer to specific release. Some projects have tags for major releases so I point to those instead if available (like a 5.0 tag pointing to the latest 5.0 release)
Are yoh referring to Cloudflare Zero-Trust/Tunnels in this case? Or is this again, just a reverse proxy? It would increase latency in any way, but also security.
New Customers Exclusive - Get a Free 240gb SSD at Micro Center: micro.center/0ef37a (paid)
American only. 🤦♂️
i dont have a microcenter near me :(
bro i actually dealt with the smae topic for weeks now and you forgot network segmentation using vlans, iptables or ebpf. also zero trust access instead of ssh is missing
This set up is far more secure than any company I've worked for.
And we can do this at home!
I still occasionally run into companies with passwords in the form of "CompanyName1234" so I'm not sure any kind of setup would really save them...
Sorry to disturb you, but could you help me figure this out? I’ve got USDT TRX20 stored in my OKX wallet with the recovery phrase (clean party soccer advance audit clean evil finish tonight involve whip action). How do I send it to OKX?
Security professional here. Thanks for making this video! I'll be recommending folks view this video. You've described everything I suggest folks with home-labs do.
The only minor disagreement I have is with setting up the proxy authentication after everything else is working. Set it up from the start and apply it to all services behind the proxy. You're in a much better spot if everything on your home-lab requires authentication on the proxy. Even if it means logging-in twice (to the proxy and the back-end service). This drastically lowers the attack surface. You can later exclude any services you'd like to remain public.
Also, use some type of split DNS; where you serve the internal IP of the proxy to all internal clients. That way you can skip the hop to Cloudflare internally. And you can still access all your home-lab services if your internet connection goes out.
Good call! Thank you for your expertise! It should be in place prior to! Also, I have a guide on split DNS with PiHole, should have mentioned it!
Good idea with internal DNS, it fixed my problem with all my selfhosted apps being routed through my slow 10mbps upload speed via cloudflare. I even get SSL still when using local dns for routing my domain to my server's local IP
@@TechnoTimcan we get a video on split DNS?
Hi there, could you please assist me with my issue? my OKX wallet holds USDT TRX20, and my recovery phrase is (clean party soccer advance audit clean evil finish tonight involve whip action). Can you explain how to move it to OKX?
You should make a video of home lab hosting from square 0 if you were to start from nothing (or start over) and how to set it up. Episode one: bare necessary hardware and how to set up Vlans. Episode two set up server (old pc), setup docker, and setup backups. Etc
Ditto.
Getting some pointers to absolute beginners are a great idea, because there's too much to learn and no clear, easy way of achieving it.
I don’t think you need VLANs on your homelab. You have L3 switches and huge variety of internal networks, so, you can just use port isolation. It’s good for learning, but if your case is not learning or you want just to make it done with less configuring, you can skip VLANs and lose nothing.
That'd be pretty dope
Are we not gonna talk about the awesome illustration using those stickers or cardboard!, this video is amazing end to end, awesome visuals, clear, cuts to the chase.
I really like this and have enjoyed every bit.
Would be awesome if you can showcase the process of setting some of these stuff you mentioned in separate videos.
Would love to see that and again awesome job 🙏
Thank you!
*looks over at Self Hosting video I just posted with disappointment*
Wooooo Microcenter sponsorship! Let’s Go!!! I’m digging the style of this vid.
I saw yours a few days ago! It was great! This just compliments it!
Would actually appreciate if Linode would sponsor a series on your channel with topics of your choosing that compare and contrast and shows how to run services remotely for distributed friends and family
I would so much rather listen to Linode tutorials from Tim rather than the guy they seem to have buddied with currently who spends a 20 minute video giving you the first 3 sentences of a man page.
As a tenured engineer (over 10 years in networking, security, and more) this was video was a fairly comprehensive guide to the extent of touching on different layers of protection for self-hosted solutions. Major kudos and for sure a sub from me.
I'd say the only "aspect" missing is the time to do all this, aside from your job (if you have one). This has been the biggest thing for me. I host things internally, just not exposed to the Internet.
I'm a sysadmin specializing in security and I block countries at work. It saved us a ton from exploit scans and from attempted exploits that we've previously patched. Our firewall can detect and block exploits and there is tons coming from a handful of countries. Also, it may have also saved us from being exploited on one occasion when an exploit attempt came from Russia going to an unpatched Pulse VPN appliance. There is a possibility that other measures would have caught it as well, but it was an excellent first layer of security in this instance. I highly recommend blocking Countries. I highly recommend blocking Russia, China, Ukraine, Crimea, and North Korea. You are correct that most attacks that I see originate from the US, so a layered security model is important but this one rules kills about 60% of all exploit and exploit scanning activity.
Thank you for your valuable insight!
Blocking countries can be a terrible idea in some instances so it would be case by case. Where I work, we can’t. You end up blocking edge locations and CDNs. Not to mention our clients customers. Usually I can only block middle eastern countries.
I'm not in the US and you can bet I'll be blocking the entire continent
I'd be blocking the US as well lol
Also Iran or Nigeria to be blocked I say.
You have no idea how much knowledge I gained from this video/tutorial. I have watched a few of your videos including the "Put SSL on everything" but this was by far my favorite. Appreciate the effort that went into this.
Subbed
Thank you so much for the kind words and recognizing how much work went into this!
I'm starting my journey into the world of servers with my first homelab and I've already watched this video a thousand times. Amazing content! It's very difficult to find accessible documentation that helps you understand why each step is necessary. I'm not a computer layman, but it's very difficult to get all the pieces to work together with the certainty that I'm not doing anything crazy. Thank you very much for the video, my friend!
Love it Tim! Although you say it is for a home lab, your excellent account, and all the great comments elaborating on it, will be an inspiration to improve the setup at my workplace.
Thank you from a Dutchman!!
Thank you!
Your video quality just keeps on improving. I really enjoy your work and you do a great job representing the self hosting community with a lot of polish and enthusiasm.
Thank you!
I am windows system engineer and I have been thinking about self hosted services for sometime now (around 2 years) somehow your video motivated me to start I have just started with the hardware and I am using your videos as a guide and inspiration and ideas to achieve what I want. Keep up the good work and the nice ideas
Thank you! You got this!
This video was amazing! Having the big picture (the visuals were perfect!) helps pull all these concepts together. I've watched a lot of videos of the self hosted pieces but without understanding how they fit together and the why, I felt lost.
Glad it was helpful!
Great video, thanks! The production value is also really nice, it's obvious you're making great progress and you are by far my favorite homelab/tech youtuber. It's easy to recommand such a great channel. Thank you for everything you're doing and I hope to see many more of your content.
Thank you!
Cool video! Using pictograms makes it so easy to visualize :) For containers, running them with the least privileges possible (preventing privilege escalation), using specialized socket proxies for the services needing it (ie Traefik, Watchtower, Portainer...) and segmenting their networks to the lowest possible level is also a good idea
Happy to see you doing a security video, I just got my domain setup with cloud flare.. really cool to see that I can host public services without exposing my public IP.
Thanks man! Took a risk on this one!
Dude I'm learning so much from your videos! I got wireguard up and running recently and have only been hiding behind that, but this video is an awesome roadmap for me to up my selfhosting game. Def earned my sub, looking forward to learning more from you
Glad to hear it! Thank you!
WOW, This is by far one of the best self hosting videos on RUclips! Excellent stuff Tim!
Wow, thanks!
Great overview. To summarize home lab architecture this thoroughly in 18 minutes is downright impressive! I would just suggest adding a quick comment or addendum to the guide somewhere that Cloudflare proxies alone can't be depended on for blocking external attacks, even with IP allow lists. You'll also need to setup MTLS, otherwise another Cloudflare account could proxy malicious traffic to your account through to your servers.
This videos are just getting better every day, keep it up.
Hi Tim! I love your tutorials and homelab. Would be great to see a dedicated Pfsense video with VLAN setups including a managed router.
Thank you! Noted!
@@TechnoTim Thanks for the reply. I am so excited for the next video. All the best to you.
That can probably be extended to include interesting features, for example if we put all IoT devices in a separate network, they should still be able to access Internet and be available from our trusted devices (phones), but should not have access (initiate connections) to our trusted devices.
@@vaddimka use rules / patterns like this. This is quite easy with Mikrotik routers.
If source = IoT vlan & destination = phone vlan, then drop connection.
Swop it around like this:
If source = phone vlan & destination = IoT vlan, then allow.
This would be great, Vlan in Pfsense for starters
Great video as always! Your concise, easy to follow and straight to the point videos are at this point kind of therapeutic to me! Like a few others have already suggested, I would also like to suggest making this video the start of a series of other videos, each of which goes into the actual set up of the main steps mentioned in this video. It would ultimately make for a very nice play list on home-labbing best security practices, and how tos!
super good and I think you should update these every few years. I know not much may have changed. But it will be worth what has.
Really helpful in terms of networking, however I missed a bit of endpoint hardening, configuring the OS firewall, hardening docker, kernel hardening, file permissions, etc. Although its kind of a rabbit hole to get into that lol
🐰🕳 it never ends!
Dude we need a updated version of this golden topic
Excellent video Tim, you covered quite a bit.
One thing i might add (which would fall into permissions) is to make sure UNC (known as backdooring) is turned off. This makes it harder for an attacker to easily spread ransomware/malware throughout your network.
Great tip!
Your videos are getting better every time, you're doing a great job. Not easy to explain and put all this together. Thanks
I appreciate that!
Didn't realise that I should do conditional port forwarding. Just got Cloudflare's IP ranges added to my router. Excellent. Now to learn about VLANs as that's really the only other thing I don't have configured. Cheers Techno Tim!
commenting just to say that microcenter is the best, and every machine I've ever built has come from them
Noooo.. The purple ambient lighting is gone! 😄
Thanks for your awesome videos. They are amazing and I learn so easily with you explaining it all.
Thanks for this detailed and wonderfully illustrated explanation. Before coming across your video, I had read and watched many guides on self hosting that were not very clear on security steps (if they mentioned security at all). Your video is a gem of a resource!
Thanks for another great video.m!! Your first advice is great: just don’t open up your home. As a non-professional have learned this the hard way a couple of years ago. Thanks for not forgetting to put in that advice!
Thank you!
What happened?
@@alexitanguay Putting a server online while having forgotten having set up a test account called test with password test - it is one of those things that gets your ISP connection suspended until you explained your error after finding it in the first place. If you're not a professional in the field you are bound to do silly things like that.
This is sooo good!! Many years wondering what I would need to do to self-host stuff without putting myself at risk and you just told me everything in less than 20 minutes. Thanks a lot!!!
i just wanted to search more about this topic! and the you come whit this video!
Thanks for the tip of NATing only Cloudfflare IPs. That's one thing I've been missing and it really helps a lot with my conscience! :D
This was such a great video. You covered so much with simple explanations. Thanks!
Great video! First one I've seen so far to talk about the most basic, firmware updates.
Great video! Your public speaking skills are impeccable! Learned heaps!
Thank you so much! It takes practice! I think I still have much to work on!
Mannn, I'm such a visual learner and these little dynamic icons/symbols you're using give me a good basis to follow along with.
I've watched this so many times - but I keep coming back to it when I need to check over my security measures and see if there's something I need to change/implement. Best security video for self-hosting!!
I really wish that there was a "latest-stable" tag like how there are LTS versions of operating systems. This way you could have a patching cycle that just checks for and applies the latest stable patch.
There is with nginx, it really depends on the container maintainer and how they manage their releases!
@@TechnoTim Thanks!
Textbook quality educational content in the form of a video, one of the finest creations I've ever come across, in any category.
Thank yoiu so much!
Another fan here from the Netherlands! I'm learning so much from your videos!
Thank you!
YESSSSSSS. I'm researching this subject recently! THANK YOU
These are really great advices that you learn even in CCNA, so, good stuff. But the aspect of the host itself, about containers, os, virtualization, and updates it's something you don't see teached around often. Probably because is a market that's always changing, but it would be great to have an in-depth video about this part!
Thank you!
Excellent video Tim. Now I don’t have to explain it to anyone anymore, I just point them here. By the way: greetings from The Netherlands 😉
Great video. Can you make a series following up this video how to setup all your advice?
I would add to this that you can make use of Qualys (self hosted) in order to scan for vulnerabilities in your Home lab. They have a free version for up to 16 devices !
Once more a great video and another excellent source of inspiration. Totally love the little paper icons. You are good dude! I have to say that your channel has become my favorite one when it comes to IT related content. I am surprise that you haven't got more than 1 million subscribers considering the quality of your videos. It will be soon I am sure. This video comes just when I was considering rehosting some customers websites, perfect timing.
Awesome, thank you! This is all new to me, so just figuring it all out!
@@TechnoTim Hello Tim. Thank you for your kind message. In case you are reading this, I believe you would be the perfect person to do a tutorial on how to setup IPV6 with Docker. I have been struggling for the last week with this on my infrastructure. Proxmox in bridge mode with a /24 subnet from my ISP, Docker swarm on KVMs and PFSense on bare metal. I am trying to implement a vanilla IPV6 config with DHCPv6 on PFSense. Totally insane that I could not find a proper recipe to do this. The docker gateway behavior makes the whole access to containers particularly weird. In case you have some knowledge on this type of setup, it would be a great material to add to your collection. Take care !
These illustrations are really cool.
I'm creeped out the most about my personal machine being compromised, because of the local cluster.
Thanks!
Thank you!
Thanks!
Thank you so much!
Great video - if I was to host at home, I would add a second router behind my first router/firewall - so I have somehting like a DMZ - or go the VLAN path...
The Cloudflare setup can also be done with Cloudlfare tunnels from their zero-trust product. The dashboard can be a bit confusing.
The advantage is, it doesnt rely on router and port forwarding configurations. This also means, the server is somewhat portable and can be deploy fast at a different location in another network.
Any chance of a tour of how your network is laid out? From the modem to your servers? Maybe a how to of how you have your stuff setup? Perhaps a video series/playlist? I would like to redo my home lab to do a better job of segmenting things out.
Or a guide on network layout strategies and techniques? Suggestion on traffic segmentation, pros/cons and ways to accomplish.
Brilliant video! How you’ve not got more subscribers is mental!!
Thank you!
The visuals here made the content easy to understand, along with your expert explaination. Thanks!
Glad it was helpful! Thank you!
@@TechnoTim it would be amazing to see a similar video for securing a cloud vps for self hosted applications. A lot more people now are leveraging the likes of Linode or DigitalOcean, but wish to retain privacy and security.
I have to say I am loving the paper items and the shuffling off them - very cool. Dutch crew reporting in
Thank you!
Thank you very much 🙏
I had no idea on how to secure my home server, without putting my family at riskt 😅
This Video gave me a good idea on what I had to do and look for ❤
I think that for some odd reason SSH Bastion Hosts are strangely overlooked idea on the self-hosted environments. Servers on DMZ (behind the firewall on their own logical network, isolated from rest of the end devices) + Securely hardened Bastion host for server management access limits the attack surface to minimal as possible. Same goes to any intermediary device management portals etc...
Great call!
this is great guideline for start self hosting security. If you need some kind of inspiration for the video, you might split this one into few yt videos and describe each section in details, giving some basic explanation for newbies on each topic, maybe using more examples and advices, or even setting this kind of server hosting from scratch giving examples on options within each layer of security. I've got this idea watching this section: 9:32, so it may be good starting point
I had to go Light Mode on this one 😎
Need a darkmode Button for this video.
Love Techno Tim insanely helpful videos about sorting our digital life.
This really comes down to the use case, some times integrating 3rd party services by them self could actually cause more damage than setting up everything local only.
This is such a good video, keep it up bro, I can already feel the 100k subs
Bro Thank you so much for the Conditional Port Fowarding Advice, it makes so much sense!
I love how you make so easy to understand thank you Tim.
Good work covering supply chain attack from dodgy containers.
Your hoodie is insane, regards from Germany
I love the props explanations in this video. Good job
Thank you!
I recognize that "thank you" sign, that's awesome
Thank you! 😀
Great to see cloudflare getting recognition. There are only a handful of videos that I've seen that stick to using cloudflare for firewall. They may sell data, and had an outage recently but for a inexpensive firewall, dns record management, and more, I recommend them. Been using them for almost two years now.
I had to go Light Mode on this video 😎
How does using cloudflare the way you outlined in this video compare to cloudflare zero trust tunnels? What are the pros and cons of each?
What would change if I config my server into DMZ instead of port-forwarding it (in the modem/router)? I know that the DMZ opens all the ports available for one machine, but it’s isolated from the rest of the network, does it make it more safer?
Setup CrowdSec the other day to block IPs in iptables on my reverse proxy VM (since it's the machine requests get forwarded to).
So much to think about now. A lot to work on now that I'm changing my network stack around.
the video was PERFECT! , on the other hand the thumbnail made me avoid the video several times in my recommendations
Noted!
Thank you for your honest feedback! I questioned it from the start. Just uploaded a new and improved one, refresh to see it! Thank you for your honesty! This helps!
@@TechnoTim I really rarely comment, and I was a little direct haah, but I loved the video so much that it really deserves to reach the most people
and the new thumbnail I find it great! more colorful it catches the eye 😊👌
dude, I love the graphics! great Job.
Such a great use of pictograms! Awesome video, much appreciated. Cheers from the Netherlands :)
"Hey, that MicroCenter looks familiar." Howdy neighbor, keep up the great work!
Damn, this is such a nice tutorial. Thank you for making this very accessible :)
Great video, thought it should be pointed out that it is possible to allow a group of ingress IP's within UniFi by creating a firewall rule and apply it before predefined rules. The action should accept, then create an IP and port group for the source (this will be the cloudflare IPs that you created a rule per IP block for) and the destination should then be the machine to forward to. This does require 1 (ONE) port forward rule setup the way that you have setup, and then exclude the ingress IP used in the port forward from the cloudflare group.
It's a bit of a hacky solution but it works.
Interesting. I tried for hours to do something similar but ended up just using the clunky ui for port forwards without aliases. Thank you!
Just as a quick note for your UDM: You can add cloudflares IP ranges as a group (at least in the legacy ui) :)
Will look a bit better
Thank you! Yeah, what a great "upgrade" 😉
@@TechnoTim You can do this on the new UI as well pretty sure. Settings > Profiles > Port/IP Groups
Very good info and well explained, thanks! But what was most impressive was aaall those little papers manually coloured!😅
An additional method of protection I use when it comes to Cloudflare is ASN blocking. I've spent a lot of time collecting a lot of webhost and VPN providers network ASNs to effectively block a lot of potential bad traffic. I find this blocks A LOT of "bad actors" especially when attackers often rent multiple IPs from the same host. Simply blocking the hosts ASN will effectively block every possible IP that hosting provider owns, without necessarily having to block IP ranges themselves.
Re: USG repetition... You can automate all Unifi USG via Ansible. Even learning Ansible for a simple connection and a quick loop to set all of those forwarding rules is a great way to quickly pickup and learn Ansible for a small simple task.
Good call!!
Great job on the video. I'm glad I found your channel. Keep up the good work!
Incredible job ! Thanks for sharing !
Your the man Tim.
1. I like the hat. Maybe the ladies like those foofie locks... But not me.
2a. Those illustrations were awesome. (seriously)
2b. The humor and creativity are fantastic
2c. But you have to understand it does open you up for some trouble. You color those yourself? 😉 (I actually kinda wanna know)
3. This was a great overview. This is exactly what I am wanting, and exactly the path I would love to head down. If you would walk through this step-by-step it would be fantastic. IMO
Thanks again! I'm a noob... But this noobs a big fan, thanks!
Oh. And I realized I do have a Mico center here! It's 35 minutes away...but I have one!
Thanks, Tim. The weekend project.
I really gotta get my IOT devices on thier own vlan, I went down that route a while back and broke all the mobile functionality.. Im sure its something on my part.
Thanks for the tip about the cloudflare IP ranges
7:32 latest can also have breaking changes if it starts pointing to a major version release and may need hands on involvement from you. Already had this happen once and that will be the last time because I went ahead and changed all my containers to refer to specific release. Some projects have tags for major releases so I point to those instead if available (like a 5.0 tag pointing to the latest 5.0 release)
Thanks Tim.... As always very clear.... Maybe you can make a step by step how to series to achieve this?
Another really informative and clearly presented video! Thank you for the time and effort you put into the channel.
Are yoh referring to Cloudflare Zero-Trust/Tunnels in this case? Or is this again, just a reverse proxy? It would increase latency in any way, but also security.
THIS is a epic good video ! NICE WORK TIM !!!
Thank you!