Self-Hosting & Home Server Security Tips
HTML-код
- Опубликовано: 6 окт 2020
- In this video we're going to look at how to help secure your home server to make sure that only the people you want to have access to your applications will be able to access your server.
I'm not a security professional or a network professional, but I've picked up a few tips to help keep your server safer.
Full blog post: dbte.ch/securitytips
Patreon Early Access: / 42492796
VPN SETUP LINK: / set-up-a-vpn-server-wi...
More OpenMediaVault 5 tutorials here:
• Openmediavault 5 (OMV5...
/=========================================/
Remember to leave a like on this video and subscribe if you want to see more!
/=========================================/
Like what I do? Want to be generous and help support my channel? Here are some ways to support:
Patreon: dbte.ch/patreon
Ko-fi: dbte.ch/kofi
/=========================================/
Here's my RUclips Merch Store:
dbte.ch/ytstore
/=========================================/
Here's my Amazon Influencer Shop Link:
Amazon: dbte.ch/amazonshop
/=========================================/
Follow Me:
Twitter: dbte.ch/tw
Facebook: dbte.ch/fb
Subscribe: dbte.ch/ytsub
#HomeServerSecurity #SelfHostingSecurity #DBTech 
Наука
![NoCap - Yacht Party [Official Music Video]](http://i.ytimg.com/vi/rm_lvDln8kE/mqdefault.jpg)
Please feel free to add any other security tips and tricks here in the comment section!
Hi DB Tech, i've a small question. I'm using Access List for Bitwarden and i allowed just my public ip adress for accees. Also i'm using cloudflare for cname for bitwarden. The question is that, as you know if we are using reverse proxy + cloud flare, access via cloudflare ip adress to bitwarden, that's why access is not working. Because trafiic caming from cloud flare ip. That's mean acces will not possible because we allowed just my public ip. How do you manage this for you?
Mostly agree but there are a few things I would add:
- setup 2fa or at least ssh keys for accessing the server
- disable root access for ssh
- use docker user namespace, so if a container gets compromised, there is no way to escalate privileges, escape the container, etc
- Bind docker ports to 127.0.0.1 and set up a reverse proxy with ssl encryption with a docker network
- and last but not least MONITOR. Monitor everything, setup alerts for ssh logins, alerts for high cpu usage, alerts for everything unusual (I like Zabbix for that).
Hi there. How do you setup alerts in Zabbix?
How will binding docker ports to 127.0.0.1 even work? My reverse proxy isn’t on the same system as my docker containers….
Found your videos a few weeks ago. You do an excellent job explaining things. This is a very useful video!
Great video, thanks DB. The Cloudflare firewall rules and nginx allow lists were 2 things I had not been taking advantage of.
Glad it helped! I've only been using allow lists for a VERY short amount of time. Figured if I was going to talk about server security, I should probably implement some on my own server :)
Great clear summary... Lots of material, quick. Great starting point before learning about each in depth.
Much appreciated!
I do actually have one security tip to add, on the cloudflare firewall page you can block access to admin panels or services, for example if you don't want anyone modifying your publically accessible wordpress you can make a whitelist with your IP is not X and URI path contains "/wp-admin" then block meaning only you can access anything that contains /wp-admin in the address.
Good tip!
Always good tutorials, useful and simple to apply. My server on raspberry pi is running perfectly. Thank you so much
Glad to help!
Thanks as always, I literally woke up and did these changes on my server.
Good to hear!
@@DBTechYT Ps: Can you do a video about backing your server up? I tried a few days ago and had many issues :') ((Hyped about the upcoming vids!))
It's on my list to make that video soon
Absolutely what I needed!
THANK YOU!! This is the best explanation of how nginx secures a home lab that i have seen online!
Wow, thanks!
Great video, thank you for sharing!
Thank you, very useful!!
Glad to hear that!
Great informations,thanks!
Ive been looking for a way to safely host a server from my home thanks bud
Excellent tutorial.
Thanks for the Video!
Thanks for watching!!
You sir just earned a sub
Thanks great video. I am new to docker and OMV both I was wondering if you could do a video on the pros and cons of having multiply File Systems (Config, Data, etc) as opposed to just one big (All files) RAID.
I think you've got some of your terms mixed up. A filesystem is the methods and data structures that an operating system uses to keep track of files on a disk or partition. I only use the EXT4 filesystem on my system. RAID is a way to configure hard drives to act as a single pool of data storage. I don't use RAID on my system.
To make an attempt at answering your question as I think I understand it, I have my configuration folders and files in one specific location that is typically away from my data because I like to keep things organized in a way that makes sense to me. I don't want to put my configuration files in with the files I'm uploading as it becomes a nightmare to figure out what is what in regards to files uploaded by me or someone else and what is an application file.
It's just the way I've decided to organize my Docker containers. It makes sense to me. I don't think there is any 1 right way to do things as long as everything is working and you can keep backups of your data.
I'm not disagreeing with you or anything. I just want to point out that making these settings changes would be more effective if done before even getting online, if possible.
I think you're right
Hello DB! Thanks for your valuable content! I am using your tips creating a Cloudflare Tunnel to access my remote applications remotely. I am just thinking if is it better put a ngnix proxy between the tunnel and the access of each application. The effort to maintain the tunnel will be the same in terms of add a new service to public web, however i am thinking that could be more secure (and more slow since they have an additional server to jump to the application). What fo you think? Is the effort is valid to keep this extra security layer? Thanks, Greetings from Brasil!
Thanks.
Thanks for watching!
Great video. Nginx reverse proxy is awesome. Could you please create a how to for vpn access?
Great list. You could add video chapters and maybe cut some fluff from the presentation, but overall I found it informative.
A few times I zoned out and checked back in occasionally , asking “is he done talking about his cousin yet?” lol.
I just wanted to say what everyone else is. I loved the video! I think security is something noobs tend to neglect because they're overwhelmed by who cool it all is.
But security is easiest to adopt when it's learned early. (like not using any random Docker image you come across)
Potentially a new type of video series to add to your repertoire.
Hey dbtech. In your raspberry pi series you touched upon fail2ban even installing the plugin on OMV. Is there any plans to show us how to.use this alongside docker. NGinxPM and letsencrypt.
Great video! Would love to see full video on cloudflare please?
I had actually planned on making it yesterday, but I felt like garbage. Going to make it for Monday :)
A small question, what should be write ip in access list? Like ip / subnet? when i wrote in here my public adress only i could not access a few hours later. I saw cloudflare page and ssl error. Should we add also cloıdflare ip for allow?
How were you able to configure your sites with access lists to read your actual ip and not the proxied ip that cloudflare has you connecting as? When I put an access list on a site that only allows my public ip, I am still unable to access the site because of the cloudflare proxy making my ip appear as one of cloudflares many ips.
I guess I am also asking if you proxy the sites which you have an access list on. How are you getting nginx pm to recognize your IP when you try to connect to your site behind cloudflare proxies?
How do you secure docker/portainer since UFW doesn’t apply to docker? Do you already have a video on this? Would really appreciate it :)
great info! thanks!
port 80 is needed by letsencrypt, it uses that port to check your server is accessible, while applying ssl to port 443... never seen it working with just port 443, honestly...
Thanks for the info! I figured there would an actual need for port 80 but didn't think about it just being there for verification purposes :)
My ISP block port 80. But it allows to open port 443. So I don't think using proxy manager on my network with only port 443 would work.
Nice, I was already doing all of this, I don't need to touch anything, although I was unaware of 16:32 and how access lists worked, so thanks pointing that out.
Good advise. Do you have a video to shaw how to backup server??
I don't have a video on that yet. I'll see about getting one up in the next week or so
@@DBTechYT that would be great.
I would also love a video on how to make backups. What to backup. How to automate the process.
@@GlenBland If you're using docker then you just backup your volumes (I think the default location is /var/lib/docker/volumes) or whatever bind mounts you created for example my data is stored in /media/usb/docker-data so as long as everything in there is copied I'm good, there might be something better but personally I just use rsync with an external usb drive because it's easy.
Thank you so much for this video. I set up my home server almost a year ago and I clearly have a lot to work on. I use DYNU , looks like I'm switching to cloud flare. I haven't used NGINX. Is that a replacement for Apache? Also what cloud service do you use to back up your server? I can't find anything that's compatible with Linux and doesn't charge crazy prices.
Hey! So I would actually consider using CloudFlare Tunnels instead of NGINX at this point (this is an older video) as CloudFlare tunnels doesn't require you to do any port forwarding and works behind cgnat setups. As far as backups are concerned, you can do local backups if you have another computer to setup as a backup server or you could use something like BackBlaze (that is Linux compatible) for off-site backups.
@@DBTechYT thanks for the help! That's awesome. I shut off my port forwarding. I'll work on security and then bring my server back up. I have backblaze, but the unlimited plan doesn't cover Linux servers. It's way too expensive.
Please add Medusa setup tutorial, thx.
Do you have a cloudflare how to setup video? I think that would be a good next video to detail out.
I've had several requests about setting up CloudFlare just from this video, so I think my video this Friday will be about setting up CloudFlare. Thanks for watching!! Much appreciated :)
DB Tech awesome thanks. I want to update to use that and proxy manager. Currently using swag but I think will like this setup better.
I need to look into Swag just so I'm familiar with it, but I really like my current setup :)
Hello everyone ;)
I need some help with the UFW firewall.
-> Setup: My home server is behind the router's firewall (open ports 80, 443). RaspianPi, Nginx Proxy Manager (Docker Container +SSL), Website (Wordpress, Wordpress_db also in Container).
When I activate the Linux UFW firewall, nginx asks for user and password, but then ufw blocks the website (504 Gateway Timeout). I cant´t fix this problem because Docker is using Bridges and his own Networks. My thoughts were redirect problems, or nginx can't use the wordpress network.
Or do I not need an additional firewall in this case?
I would be very grateful for any tip. Thanks in advance
What about using a SDN into your network instead and no trust?
Within minutes of adding a subdomain I'm seeing queries blocked by the firewall rules I've set- should I be concerned, or are there really just that many bots and compromised systems out there, knocking on every possible subdomain? Love the channel!
it's just the state of the internet right now. bots looking for ANYTHING they can do something with.
What notes app do you use to write the outline for this video. I saw that it was self hosted. Btw you should really blur out some of the ip's you showed in this video (like private IP for hosting service, plus you showed your CloudFlare private ip's too.
I use Bookstack for notes. I showed those IPs on purpose for the sake of the video
Another security advice: only use STRONG and UNIQUE passwords. And consider Two Factor Authentication where possible.
Hi, I have problem with nextcloud app. When I activate acess list then I can't acces over app, because it does not ask me for user and pass like over browser. What is your recommendation? Tnx
Does anyone has a solution? Except from disabling acces list for nextcloud
Hi DB. I was thinking to buy a domain with porkbun as you suggested to improve the safety. Actually I do not want to expose my server and containers to the web, however I am using hassio and OpenVPN (to have access to my files and containers) by using duckdns. How can I create SSL cert with porkbun? Do you still suggest porkbun in my case? Many thanks!!
If you plan on using duckdns then you don't need to use Porkbun. You only use Porkbun to buy your own custom domain. You use CloudFlare and NGINX Proxy Manager for SSLs. Also, you can't hide your IP address if you use DuckDNS, which is less secure.
@@DBTechYT thank you so much for your quick reply. For that I would like to use porkbun, for safety reason. But I did not get how to create SSL cert. I saw your link in github regarding the Nginx proxy manager and I did not get if it is safe or not. However I would like to keep as simple as possible. So, if I create a domine with porkbun, with cloudflare I will be OK (safe) with the ssl certificate or not, as it is still missing something?
Go watch my WordPress video. It shows how to host a website
@@DBTechYT Cheers!!!
My apologies but I cannot understand if Nginx proxy manager is necessary in my case with openVPN.
I know the video is from a long time ago, but I have a question. I am using Cloudflare to protect my own domain, but wanted to use Wireguard as a VPN. The problem is that Cloudflare's proxy blocks all non-http/https requests. How do you manage this with your vpn? I understand that the solution is to disable the proxy of the subdomain that my vpn uses... but wouldn't it be a problem to have the subdomain exposed in this way? Thank you!
I use Cloudflare Tunnels to remotely access my services. Doesn't require ANY port forwarding and you get all the benefits of Cloudflare's security
Do you have a Playlist for this?
Like starting at ngnex and moving forward?
x86 Playlist: ruclips.net/video/A5ckT7pxrNY/видео.html
Raspberry Pi Playlist: ruclips.net/video/TYewyAK6GmQ/видео.html
I know this wouldn't be an issue on a home server behind a router, however if your docker containers and nginx proxy are running on a vps, do you think it would better security practice to link nginx proxy manager to the docker applications _internal ip and port_ than the external host machine port? The goal here being not to end up having several ports opened to the internet. But as you said only ports 80 and 443 and perhaps 53 for pihole ;) what do you think?
You would also change your docker compose files, replacing for example:
*ports: - 3334:3334* with *expose: -3334*
Could I put a request in for an episode? I would really love to see if I could backup all these docker mysql and postgresql databases offsite using a scheduled cron job while they're still running.
Actually I'm surprised no one has covered this as backup of docker instances config and data doesn't ever seem to get covered by anyone.
I only have ports 80 and 443 open on my router/modem. All the traffic goes to NGINX Proxy Manager and it routes the traffic.
Thanks for the tip on expose.
Several People have asked about backups as a result of this video. I'm going to try to release that video on Monday.
Thanks for watching!
@@DBTechYT That's what I said at the beginning, if you're running docker containers at home behind a router this method is not needed. So your setup on the show doesn't need to do this of course ;)
_My point is_ if you're running docker instances on say Digital Ocean or Vultr or Amazon AWS where you don't have the protection of a router masking your internal network ip addresses and ports, this method would reduce your port exposure to the internet.
So Nginx Proxy Manager would have say nextcloud.yourdomain.com linked to 172.40.0.3:888 instead of 192.168.1.35:888, if the docker compose _internal port and docker ip_ is 172.40.0.3 with port 888
@@DBTechYT Hello! First of all, thanks for the great work you are doing! :-) I have setup nginx and omv now, and using cloudflare, but I am strugling a bit on how to configutre my router ports the correct way...I think. I have followed your tutorial, but when accessing my sub-domain that should lead to omv, I am only getting the login-screen for nginx...
You need to forward ports 80 and 443 to your server with NGINX proxy manager on it. Then, NGINX proxy manager will be configured to forward from there to the respective application. Check out this video to see the order in which I do things of setting up my domain, application, NGINX, etc.: ruclips.net/video/2W7aW0SmxwA/видео.html
Also, it's better to not reply to someone else's comment to get an answer. It was only happenstance that I ran across this comment. Please be sure to create a new comment thread for questions in the future.
Thanks!
expose doesn't have any operational impact tho. It's just informal, so basically you don't even need that
Can you talk about updating the dinamic ips dns on cloud flare
Yeah. I actually touched on it once in a video several months ago, but I need to make a dedicated video for it I think.
@@DBTechYT I am going to look for it I saw and follow the one that you did cloud flare nginx but don't remember seeing how to update the ip on cloud flare if my isp change it. Great work nan. I am working whit a raspberry pi oMV docker portainer and several container thanks to you.
I'm going to make a video for Friday that will talk about setting up CloudFlare :)
@@DBTechYT thanks
This would be great and I was just researching this topic. Showing how to update CloudFlare IP addresses if you have a domain name would be great. I’ve seen how to do it using something like duck ddns or no-ip, but that seems like a unneeded step if you have your own domain.
is it possable to hide your ip behind a revise proxy so if you are hosting a game server to the public you public ip is not visable? i am using proxmox
Yes. You can use CloudFlare's DNS to do this
@@DBTechYT justing Ip address no domain. I Setup a nginx revise proxy in the cloud. not sure how to config it on my he server.
you forgot the link with rasp vpn you mentioned you would let the link down
You're right!! Thanks for reminding me. I updated the description and the blog post. Here's the link: medium.com/@gurayy/set-up-a-vpn-server-with-docker-in-5-minutes-a66184882c45
so i setup cloudflare for my selfhosting, but if i use proxied it doesnt work, if i use DNS only it does? ideas
You probably aren't giving the DNS mode enough time to propagate and/or you're having DNS caching issues.
@@DBTechYT cheers ill have a look at both of these things
@@DBTechYT problem found. Moved to new ISP and found out they block incoming ports. Had to get them to remove it.
Biggest CloudFlare ad in the world💀
Nope. Cloudflare has never paid me for anything. I have never received anything from Cloudflare. No money, no merch, no free service. Nothing. Go back to stealing content from The Simpsons.
Elimination of port forwarding with ZeroTier setup. No need to expose the ports. Exposing ports doesn't work in CGNAT network anyway, so this might be an alternative. It eliminates VPN, but is it a safe option? For home-lab safe networks it is a real option. For industrial apps - search for industrial gear/software/vendor/services. The average home user / creator is more interested in securing the data, archiving and proper backup planning is far more critical than vpn's or home web/mail hosting... An access to a single/multiple Chinese cameras or a brainy vacuum cleaner should be controlled via well maintained/fire-walled vlan network. Home lab docker users - do they really know what they install in their docker instances? 3-way handshake - even not port exposed service can be a Trojan horsewithhome-labs or use a mobile device outside of home network.available