I find the idea of self-hosting to be really appealing, but at the same time I find it to be incredibly scary. This is not because I lack the technical expertise, but because I have gotten the impression that everyone on the Internet would immediately try to hack into it to make it join their bot net. As a result, I would have to be constantly vigilant against this, yet one of the numerous assailants would only have to succeed once. Dealing with this constant threat seems like it would be frightening enough as a full-time job, but this would only be a hobby project for me.
How do the self-hosters on Lemmy avoid becoming one with the botnet?
You must log in or # to comment.
Only expose services internally then use a secure VPN to access your services, this makes your network no more vulnerable in practice than not self hosting. If you need/want to expose something to the internet, make sure you setup your network right. Use a DMZ to separate that service and leverage something like CrowdSec along with good passwords, antivirus, and keep things patched.
Thanks for the CrowdSec tip, I’ve already got an nginx reverse proxy set up but wasn’t aware I could integrate this for extra protection.
How do I check this? I route everything on my internal network only. But how should I make sure its not accessible remotely? I cannot just have these on an air gapped network.
Throw your IP into Shodan.io and see what it comes back with.
You can run a port scan against your public IP from another network to see what is open. But if you haven’t specifically set something up for external access through port forwarding you are probably fine.
Should I do the same if I want to expose an OpenAI compatible API to access an LLM to chat remotely on local technical documents?
It doesn’t usually matter what the service is, the basic concepts are the same. If you want to access a service you host on your internal network from another external network you either need to use a VPN to securely connect into your network, or expose the service directly. If you are exposing it directly you should put it (or a proxy like NPM) in your DMZ. The specifics of how to do this though will vary from service to service and with your specific network config.
I read the other day about a protocol called Gemini.
It might fit what you are looking for, if you goal is just to publish interesting content, or get the experience learning something new and different, but not for you if you want to monetize.
It is an alternate to the internet. You can self host there, also, but they have built Gemini to be unable to support applications, bots, malware etc… it goes much deeper, if you are curious, you should read, I am fascinated.
It’s mostly automated exploit finders looking for low hanging fruit. fail2ban and up to date software is your friend.
The ‘immediate attacks’ ppl mention is just static background noise. Server / scripts that run trying to find misconfigured, highly out to date or exploitable endpoints/servers/software.
Once you update your software, set up basic brute force protection and maybe regional blocking, you do not have to worry about this kind of attack.
Much more scary are so called 0-Day attacks.
- No one will waste an expensive exploit on you
- It sometimes can happen that 0-Days that get public get widly exploited and take long time to get closed like for example log4shell was. Here is work necessary to inform yourself and disable things accorsing to what is patched and what not.
As i already said, no one will waste time on you, there are so much easier targets out there that do not follow those basic rules or actually valuable targets.
There is obviously more that you can do, like hiding everything behind a VPN or advanced thread detections. Also choosing the kind of software you want to run is relevant.
What are you referring to when you say basic brute force protection?
fail2ban mainly, but also things like scaling login delays (some sort of option often built into the software you’re running, but just as often not configured by default), or if you’re feeling particularly paranoid account locking after too many failures, and in general just not using default, predictable, common usernames or weak passwords, and honestly it’s even helped a bit by having slow hardware and throttled network bandwidth.
The goal is to make it so that someone can’t run a script that sends 100 million login attempts per second for common or stolen usernames and passwords and your server just helpfully tries them all and obediently tells them none of those worked… until one of them does.
Not only does this encourage them to TRY sending 100 million login attempts per second because your server isn’t refusing it, which is a huge waste of bandwidth and resources, it also makes it really likely that they’re eventually going to guess one right.
The other answer is already good but I answer more general.
Rate limiting. Do not allow as many requests as your CPU can handle but limit authentication requests. Like a couple requests per second already goes a long way.
By default your OS is secure. You only have to think about what you expose and how can it be broken in. Disable SSH password authentication. Don’t run software that is provided by hobbyists who have no enough security expertise (i. e. random github projects with 1 or 2 contributors and any software that recommends install method
curl <something> | sudo bash). Read how to harden the services you run, if it is not described in the documentation — avoid such services. Ensure that services you installed are not running under root. Better use containerized software, but don’t run anything as root even inside containers. Whenever possible, prefer software from your distro official repos because maintainers likely take care about safe setup even if upstream developers don’t. Automate installing security updates at the day they released.What doesn’t help:
- Security through obscurity. Changing SSH port etc. Anyone can scan open ports and find where SSH is listening.
- Antivirus. It is simply unable to detect each of numerous malicious scripts that appears every day. It just eats your system resources.The best it can do is to detect that your host is compromised, but not prevent this. It is not security, just marketing.
- Making different rules for public internet and DMZ. Consider there’s no DMZ. Assume that your host can be accessed by crackers from anywhere.
Thanks, your comment is an antidote to my paranoia that it is impossible to do anything to address all threats. 😀
Given that your advice is very sound, I have a question: would I gain much by using OpenBSD? The conventional wisdom when I last checked is that it is the most secure unix-like operating system on the planet.
Yikes, lot’s of bad advice in this thread.
My advice: Go develop an actual threat model and find and implement mitigations to the threats you’ve identified.
If you can’t do that, that’s totally okay; it’s a skill that takes a lot of time and effort to learn and is well-compensated in the industry.
You will need to pay for it. Either through an individual assessment by someone who knows what they’re doing, managed hosting services where the hoster is contractually liable and has implemented such measures, by risking becoming part of a botnet or by not hosting in a world-public manner.
My recommendations:
- Pay for proper managed hosting for every part of your system that you are not capable of securing yourself. This is a general rule that even experienced people follow by i.e. renting a VPS rather than exposing their own physical HW. There are multiple grades to this such as SaaS, PaaS and IaaS.
- Research, evalue and implement low-hanging fruit measures that massively reduce the attack surface. One such measure would be to not host in a manner that is accessible to the entire world and instead pay for managed authenticated access that is limited to select people (i.e. VPN such as Tailscale)
- git gud
I have snort running on my firewall monitoring my LAN port. Does it help? No idea. Does it make me feel good because it blocks stuff? Yup. It does enforce IP blacklists from a feed, so it’s a start.
Keeping an loose eye on things and watching for extra network traffic, cpu, ram usage is what I do.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters Git Popular version control system, primarily for code HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAS Network-Attached Storage NAT Network Address Translation SSH Secure Shell for remote terminal access TCP Transmission Control Protocol, most often over IP VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
9 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.
[Thread #37 for this comm, first seen 25th Jan 2026, 22:05] [FAQ] [Full list] [Contact] [Source code]
I have often wondered since our friendly and helpful bot arrived, what would happen if we made a thread where everyone used as many acronyms as possible in our comments. It’s actually one of the more cooler bots I’ve seen in a while. Especially for new arrivals who don’t spreken ze Lingley. Crackin’ iidea.
Yes…yet another comment. LOL Something you should do from the very start is take notes of everything you do on the server. I use Notepad++ for the rough draft while I’m setting something up. Copy/paste, write out commands, notations, what this or that does. Take prolific notes. I really can’t stress that enough. That way, if you need to back out of something, or if the wheels fall off, you can go right back to your notes. Don’t be lulled into the idea that you will be able to remember every last keystroke you’ve made. That rarely happens. Take notes.
When I have successfully deployed whatever I’m working on, then I go back, take my notes, clean them up, and place them in Obsidian and make backups of them.
Makin notes is good for sonething very simple. It’s better to automate deployment with salt, ansible or something similar. A bit more effort at first setup, much easier restoration. Self-documented.
In another life I worked as a Mech Eng for a Contractor firm. The rule was ‘If you didn’t write it down, it didn’t happen’. Over the years, that has bled into my personal life as well. I hear what you’re saying, and from what I’ve digested regarding Ansible, it is a quite powerful and capable package. However, let’s let OP stand up his first server. He’s already stressed about not being a botnet victim. So, perhaps some rudimentary steps are in order. Then you can blow his mind with Ansible. LOL
Would something like Anubis or Iocaine prevent what you’re worried about?
I haven’t used either, but from what I understand they’re both lightweight programs to prevent bot scraping. I think Anubis analyzes web traffic and blocks bots when detected, and Iocaine does something similar but also creates a maze of garbage data to redirect those bots into, in order to poison the AI itself and consume excessive resources on the end of the companies attempting to scrape the data.
Obviously what others have said about firewalls, VPNs, and antivirus still applies; maybe also a rootkit hunter and Linux Malware Detect? I’m still new to this though, so you probably know more about all that than I do. Sorry if I’m stating the obvious.
Not sure if this is overkill but maybe Network Security Toolkit might have some helpful tools as well?
I don’t think you’re in any danger if you are truly a human.
Your devices, OTOH…
I admit nothing.
Dealing with this constant threat seems like it would be frightening enough as a full-time job, but this would only be a hobby project for me.
Hobbyist/Enthusiast here. Most of the bots are autonomous. They are deployed and constantly sniff for any little cracks and crevasses in the armor. Don’t be fooled tho, they are quite sophisticated. I see some have mentioned fail2ban, and Crowdsec. Both are very capable. UFW (uncomplicated firewall) is also very good. When I set up UFW and my external, standalone pfsense firewall, the way I go about it is to block everything, then step by step, open only the ports that absolutely have to be opened.
Tailscale is also a great overlay vpn along with netbird. Tailscale can also be used as an emergency entry to your server should you lock yourself out, so it has multiple uses. Additionally, since you say you have technical knowledge, Cloudflare Tunnel/Zero Trust pretty much wraps everything up. I know there are a lot of selfhosters dead set against Cloudflare, so that’s a decision you have to make. Cloudflare does not require you to open ports or fiddle with NAT. You set it up on your server, Cloudflare takes care of the rest. If you wanted additional protection, you could install Tailscale as an overlay on the server. The caveat to using Cloudflare Tunnel/Zero Trust is that you have to have a domain name that allows you to enter and use Cloudflare’s name servers for obvious reasons. You can get a domain anywhere although Cloudflare will sell you one if you wish to go that route.
Since I am the only user of my server, I’ve taken the additional step of implementing the hosts.allow/hosts.deny TCP Wrapper ACL files (although you can have multiple users with hosts.allow/hosts.deny). If you go this route, make sure you do the hosts.allow, so that when you edit the hosts.deny you’ll enter
ALL : ALLfor a default‑deny stance. For my purposes, multiple users cause multiple issues, so I don’t share. :pProbably should go without saying you should use ssh keys when administrating the server via ssh.
ETA: Hope everyone is safe in the US with this frigid weather.
ETA2: If you decide to go with Cloudflare Tunnel/Zero Trust, I have some notes that seems to have helped several people and I would be happy to share them.
Please do share your Cloudflare notes.
Just use tailscale and don’t forward any ports and you’ll be fine
There’s a lot of technical answers here, but Tailscale is what you want OP. Self-hosting is only a risk if you open ports. Tailscale doesn’t require opening any ports.
Alternatively, you could set up your own VPN and forward one port to the VPN. The risk of port forwarding to VPN such as Wireguard or OpenVPN is minimal.
The risk of being attacked applies to those that port forward web traffic so it can be accessed without a VPN by themselves or others. If you don’t do that, the risk is very low.
Exactly what I wanted to say + don’t install something you don’t trust.
Is it bad to forward ports temporarily to game with friends? And deactivate after?
I dont have the energy to learn new fanglad networking since everything is so insecure now…im used to 2009 servers.
No?
I mean, how else are you meant to play the game actually?
I guess you could be like opening ports just to particular IPs. And you need a game that isn’t Swiss cheese that gets immediately hacked.
But like hackers don’t sort of seep in through port forwards; they need to physically identify and exploit a particular vulnerability.
It’s not really complicated at all you just download the tailscale app make an account and then hit share to your friends. That’s how I run a Minecraft server for me and my friends because I was too lazy to figure out how to port forward. It was easier to just sudo apt install tailscale and essentially be done.
That sounds so easy my friends could do it! Ill need to read up
They don’t have to succeed once.
Use antivirus and other endpoint security measures. Rotate your passwords and keys. Use Everything as Code, and for goodness sake make backups.
If you find yourself compromised, rotate and burn the keys, wipe and redeploy.
Everything that you mention is sensible, but it seems like it would take so much time not only to set up but to perform the ongoing maintenance you described that it just is not worth the trouble to self-host, which is a significant factor in why I have not taken a shot at it.
I think most home lab/shelf hosters start off because they want to learn something. I think (generally, philosophically) many people never start something new even if it interests them because they are afraid. To this point, it sounds like you can either let the fear prevent you from doing what you want, or you can use the fear as a learning tool.
Start simple. Build something very easy and isolated, air gap it if you need to. Figure out how logs and monitoring work, maybe even try attacking it yourself, so you have confidence that even if it’s compromised you will see how and why. Then you can connect it to the internet, isolated from the rest of your network, and then you will learn how well- or un-founded those fears are. Learn even more about monitoring and defending, then start looking for a job as a cybersecurity professional because you are already well underway.
Self-hosting means taking on those maintenance responsibilities yourself. Same as doing your own plumbing or car maintenance. Either you spend the time and effort yourself, or you pay someone else to do it.
Step 1 is to do everything inside your network with data you don’t care about. Get comfortable starting services, visiting them locally, and playing around with them. See what you like and don’t like. Feel free to completely nuke everything and start from scratch a few times. (Containers like Docker make this super easy).
Step 2 is to start relying on it for things inside your network. Have a NAS, maybe home assistant, or some other services like Immich or Navidrome. Figure out how to give services access to your data without relying on them to not harm it (use read only mounts, permissions, snapshots, etc.)
Step 3 is to figure out how to make services more accessible away from home. Whether that is via a VPN, or something like tailscale, or just carefully opening specific ports to specific secure and up-to-date services. This is the part you’re feeling anxious about, and I think you’ll feel less anxious if you do steps 1 and 2 first and not even think about 3 yet. Consider it its own challenge, and just do one challenge at a time.
