I’m still using the self hosted docker image, the all in one is too bloated for me and my computing resources are quite limited. Why would I like an antivirus? Or a backup solution different than the one I use to backup the rest of my containers?
Cool initiative anyway for other kind of users though.
You’ll be fine enough as long as you enable MFA on your Nas, and ideally configure it so that anything “fun”, like administrative controls or remote access, are only available on the local network.
Synology has sensible defaults for security, for the most part. Make sure you have automated updates enabled, even for minor updates, and ensure it’s configured to block multiple failed login attempts.
You’re probably not going to get hackerman poking at your stuff, but you’ll get bots trying to ssh in, and login to the WordPress admin console, even if you’re not using WordPress.
A good rule of thumb for securing computers is to minimize access/privilege/connectivity.
Lock everything down as far as you can, turn off everything that makes it possible to access it, and enable every tool for keeping people out or dissuading attackers.
Now you can enable port 443 on your Nas to be publicly available, and only that port because you don’t need anything else.
You can enable your router to forward only port 443 to your Nas.
It feels silly to say, but sometimes people think “my firewall is getting in the way, I’ll turn it off”, or “this one user needs read access to one file, so I’ll give read/write/execute privileges to every user in the system to this folder and every subfolder”.
So as long as you’re basically sensible and use the tools available, you should be fine.
You’ll still poop a little the first time you see that 800 bots tried to break in. Just remember that they’re doing that now, there’s just nothing listening to write down that they tried.
However, the person who suggested putting cloudflare in front of GitHub pages and using something like Hugo is a great example of “opening as few holes as possible”, and “using the tools available”.
It’s what I do for my static sites, like my recipes and stuff.
You can get a GitHub action configured that’ll compile the site and deploy it whenever a commit happens, which is nice.
I wish I could’ve like next cloud more, but it seemed bloated as all hell and was slow regardless of what machine I tried running it on :(. I might give it another go one day.
If it’s a static site, you can host that anywhere for free on the big cloud providers, aws has s3 storage, Microsoft has blobs, github has pages, all which can be configured to run a site well under the paid tiers.
I know it’s not technically “self” hosted but I’d get a cheap yearly VPS somewhere and run a webserver off of that.For me its worth the peace of mind to keep my network a temple instead of a bus terminal. I paid $13 usd for the year for mine
I believe Oracle is still offering to slice off a bit of compute for free that should accomplish OP’s goal. I’ve used it to test a Jellyfin host among other things and for the price it can’t be beat!
I’ve been running a script every 60 seconds for 2 months now as a cron job and it still hasn’t been able to create a VM in their US datacenter. I just have a log full of “insufficient host capacity” errors.
A VPS makes sense insofar as keeping things thoroughly isolated from my own systems, but the overhead of maintaining a box that’s directly connected to the Internet like that isn’t something I’m keen on and I’m not convinced I’d have the expertise to do it right from the outset.
The Oracle Cloud VPS only has SSH key authentication enabled by default. You can also set it to only allow SSH from your home IP in the virtual firewall before the machine is ever spun up.
Their current free ARM offering is 1 machine with 4-cores and 24gb RAM for life. You can also add another 2 AMD machines with 1-core and 1gb RAM and still be in their free-tier.
If you’re going to set it up and take advantage of the ARM machine, make sure you pick a home location for your account that has multiple availability zones. San Fran right now only has 1 zone, so if the shared ARM instances are all used up, you’ll have to wait a few days and try again. Phoenix I think has 3, so you can try with another zone right away.
I guess I’m extremely paranoid then, my home IP doesn’t change much and I just expose the port only to it from Oracle’s site. I rarely touch mine though.
Changing port is security by obscurity and it doesn’t take much time for botnets to scan all of IPV4 space on all ports. See for example the ever updated list that’s available on Shodan.
Disable password login and use certificates as you’ve suggested already, add fail2ban to block random drive-bys, and you’re off to the races.
I just restrict SSH to an internal VPN IP on all my servers (ZeroTier). 100% impossible to even try logging into them unless you’ve managed to crack into my network first.
+1 for VPS, the ionos ones are $2/mo and have unlimited bandwidth at 400mbps. That’s basically the cost of electricity for a home server with orders of magnitude better reliability.
I’ll let folks with more security experience dive into your specific question, but another option is to host your website on something like Github pages (using a static website generator like Jekyll) and point Cloudflare at it. That way you don’t need anything pointed at your local network, get the uptime of Github, and still benefit from your own domain name.
That’s what I’m doing with my own blog and it’s been great. Github provides the service for free but if they ever charge for it I’ll just start hosting it locally.
That’s what I’m doing! I used it to make a “blog” of all the things I had to learn to switch to Linux for my home drives and daily gaming rig. Complete with copy buttons on the code blocks so I can do a complete reformat in minutes!
Or take github out of the equation and directly use cloudflare pages. It has its own pros and cons, but for a simple static blog it’ll be more than enough, and takes out the CNAME hassle.
One of the first services on my server was nextcloud in docker container from lsio. Never had problems so there was no need to try AIO, but so many people recommend that, it will be my next setup if this one fails me
I decided to go with this one because it’s now the official distribution channel and supported by the devs. But the lsio one looks pretty solid as well.
As in, I have Nginx running on my server and use it as a reverse proxy to access a variety of apps and services. But can’t get it playing nicely with AIO Nextcloud.
I tried to set this up beside my existing mailcow server. Mailcow runs smooth and has a web interface. And I am not on my way to ditch it just for jmap.
Idk, what’s happening earlier:
1.dovecot integrates jmap (I would stay with mailcow) 2. More clients support jmap (eventually switch to stalwart) 3. Stalwart get an webinterface (eventually switch to stalwart)
I was about to ask why this is better than the docker installation, but I see step one is to install docker haha.
I’ve been running the docker container for a long time, it works very well. It is a bit more complicated if you try and use extensions that require seperatw containers (like setting up collabora), but that can be done as well. It’s just more complicated.
I do remember needing to know how to access the internal terminal a few times, but I don’t remember why. If I think of it I’ll come back and add instructions.
As a former self-configured docker compose NC user, I have to say I’m way happier with the AIO. But still, the older docker method was head and shoulders over any other method of running NC that I’d used.
selfhosted
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.