If you don’t need stuff publicly accessible, and just need it accessible to you, then set up a small computer on the network as an ssh Bastion host/jump server, put it on a VPN connection with a VPN provider that offers dyndns, forward the ssh port through the dyndns, and then off network, reverse proxy in with socks5 via key based ssh -D to gain access to all the services available inside the LAN.

Been doing this for a few years, works great and no one is getting in without my ssh key.

Tailscale on everything

Step 1 is to do everything inside your network with data you don’t care about. Get comfortable starting services, visiting them locally, and playing around with them. See what you like and don’t like. Feel free to completely nuke everything and start from scratch a few times. (Containers like Docker make this super easy).

Step 2 is to start relying on it for things inside your network. Have a NAS, maybe home assistant, or some other services like Immich or Navidrome. Figure out how to give services access to your data without relying on them to not harm it (use read only mounts, permissions, snapshots, etc.)

Step 3 is to figure out how to make services more accessible away from home. Whether that is via a VPN, or something like tailscale, or just carefully opening specific ports to specific secure and up-to-date services. This is the part you’re feeling anxious about, and I think you’ll feel less anxious if you do steps 1 and 2 first and not even think about 3 yet. Consider it its own challenge, and just do one challenge at a time.

Well for one its not as automatic as it sounds. Basic protections will get you far. I have a minecraft server exposed but it only accepts connections from 3 specific places. Remember its the same as ever other real life deterrant, make yourself less of a target than the next guy. It also really helps not having juicy company data on your network. Home networks are way less of a target because you dont have any fine booty to loot.

Yikes, lot’s of bad advice in this thread.

My advice: Go develop an actual threat model and find and implement mitigations to the threats you’ve identified.

If you can’t do that, that’s totally okay; it’s a skill that takes a lot of time and effort to learn and is well-compensated in the industry.

You will need to pay for it. Either through an individual assessment by someone who knows what they’re doing, managed hosting services where the hoster is contractually liable and has implemented such measures, by risking becoming part of a botnet or by not hosting in a world-public manner.

My recommendations:

• Pay for proper managed hosting for every part of your system that you are not capable of securing yourself. This is a general rule that even experienced people follow by i.e. renting a VPS rather than exposing their own physical HW. There are multiple grades to this such as SaaS, PaaS and IaaS.
• Research, evalue and implement low-hanging fruit measures that massively reduce the attack surface. One such measure would be to not host in a manner that is accessible to the entire world and instead pay for managed authenticated access that is limited to select people (i.e. VPN such as Tailscale)
• git gud

deleted by creator

It’s all about server hardening. See https://blog.melroy.org/2023/server-hardening/

The only thing that can get hacked is something that responds on the World Wide Web.

So you limit the scope of what talks to the WWW:

Wireguard VPN will not respond unless the magic keys are correct, it’s ideal security and obscurity. Put everything you can behind it.

For things I want on the WWW without a VPN, I split out two options otherwise.

1. Caddy checking mTLS certificates that basically allows a device access without extra steps - relying on Caddy to be strong and mTLS to be strong.

2. Authentik’s proxy check, I think Authelia has this too, but to access a site you hit an Authentik login first.

For both of those, you rely on those services not having 0-day hacks. More likely for these services to stay ahead of the game and/or fix quick than something that doesn’t exist just to do authentication. I run them in containers that are run by independent users and are read-only with capabilities limited, in a VM.

I’d say the Caddy route is more secure than Authentik, but it needs more effort to setup the certificate stuff. Authentik route needs a web browser to log in with. Obviously the WG VPN is primo.

Edit: also tailscale is just managed wireguard, so it has the same benefits as a wireguard vpn with the catch a company has access to your network also now. But really simplifies setup……

What are you wanting to host? It’s pretty simple to not get hacked.

Only expose services internally then use a secure VPN to access your services, this makes your network no more vulnerable in practice than not self hosting. If you need/want to expose something to the internet, make sure you setup your network right. Use a DMZ to separate that service and leverage something like CrowdSec along with good passwords, antivirus, and keep things patched.

Outbound firewall and SMAC protections.

If you compromise my server you’ll struggle to phone home without manual intervention, which is good enough to stop botnets.

The ‘immediate attacks’ ppl mention is just static background noise. Server / scripts that run trying to find misconfigured, highly out to date or exploitable endpoints/servers/software.

Once you update your software, set up basic brute force protection and maybe regional blocking, you do not have to worry about this kind of attack.

Much more scary are so called 0-Day attacks.

1. No one will waste an expensive exploit on you
2. It sometimes can happen that 0-Days that get public get widly exploited and take long time to get closed like for example log4shell was. Here is work necessary to inform yourself and disable things accorsing to what is patched and what not.

As i already said, no one will waste time on you, there are so much easier targets out there that do not follow those basic rules or actually valuable targets.

There is obviously more that you can do, like hiding everything behind a VPN or advanced thread detections. Also choosing the kind of software you want to run is relevant.

It’s mostly automated exploit finders looking for low hanging fruit. fail2ban and up to date software is your friend.

Just use tailscale and don’t forward any ports and you’ll be fine

Have a limited attack surface will reduce exposure.

If, say, the only thing that you’re exposing is, oh, say, a Wireguard VPN, then unless there’s a misconfiguration or remotely-exploitable bug in Wireguard, then you’re fine regarding random people running exploit scanners.

I’m not too worried about stuff like (vanilla) Apache, OpenSSH, Wireguard, stuff like that, the “big” stuff that have a lot of eyes on them. I’d be a lot more dubious about niche stuff that some guy just threw together.

To put perspective on this, you gotta remember that most software that people run isn’t run in a sandbox. It can phone home. Games on Steam. If your Web browser has bugs, it’s got a lot of sites that might attack it. Plugins for that Web browser. Some guy’s open-source project. That’s a potential vector too. Sure, some random script kiddy running an exploit scanner is a potential risk, but my bet is that if you look at the actual number of compromises via that route, it’s probably rather lower than plain old malware.

It’s good to be aware of what you’re doing when you expose the Internet to something, but also to keep perspective. A lot of people out there run services exposed to the Internet every day; they need to do so to make things work.