[jfdi]

Genuine q. The main thing stopping me from self hosting is security. Having a box in the cloud get hacked as long as data is properly encrypted and secured - not good but also can easily destroy and spin up anew.

But having your home server hacked and then presumably your entire home network and everything in it - seems way too fraught to even attempt it.

Thoughts on that? Am I just too unfamiliar with network security and this actually solved now — and there is already a well-defined trusted approach to this?

[superkuh]

A webserver like nginx hosting a static (files in folders) website is incomparably more secure and less of a risk than say, opening your web browser and going to a website without disabling javascript execution. The number of nginx remote exploits in the last decade could be counted on one hand, probably without using all the fingers.

The mistake many make at the start is trying to run a complex web application backend with php or databases or whatever. Or using some "easy" container all-in-one containing these complexities. Maintaining the security of that is a neverending diffcult task. Whereas maintaining nginx installed from your OS repos literally requires no work at all. KISS and you'll be perfectly safe.

[Gigachad]

If you are just hosting static files, you could drop it on github pages and it would work perfectly for free.

[PhilipRoman]

For all its faults, the term "zero trust" applies here - treat your local network as untrusted.

Historically the security of Ethernet, IEEE802.11 and other such protocols has been full of half measures, laughably weak crypto and whatever WPS is supposed to be. Look at the history of wireless security if you want to have a good laugh.

In the application layer, on the other hand, we have rock solid solutions like SSH which remain the gold standard for security.

[rendaw]

That sounds like an ideal more than a reality. Windows has separate "Home network" firewall settings that it automatically detects, and I assume lots of other consumer devices make similar assumptions.

Yeah you can lock everything down, _if_ you're careful, _if_ you don't mess up, _if_ some consumer hardware doesn't have a vulnerability

[fungiblecog]

With 3 routers you can isolate your home network from external-facing services very securely.

https://www.grc.com/sn/sn-545.pdf

[snafu109]

Haven't read yet but I found the transcript in HTML which is easier to read on a phone: https://www.grc.com/sn/sn-545.htm

[rendaw]

TLDR

Untrusted devices behind one router, trusted devices behind another router, both routers behind a third. The routers should be dumb, rock hard, and nat. If the untrusted devices were behind just the outer router they could potentially intercept trusted traffic traversing that network. If the trusted devices were behind just the outer router, I guess the untrusted devices might somehow use IP tricks to enumerate devices or something.

They mention vlans, and say it's basically a homemade vlan. Why not use vlans then? No mention of DMZs. Or if you have a single router with configurable firewall, couldn't you just firewall traffic between untrusted and trusted ports? I'm not sure of the context of this idea. Do they make cheap routers with enterprise-level hardening that don't support firwalls?

[kyleyeats]

You have to cheat and compromise your morality somewhere to make it work with decentralizing, I've found. Here, the answer is a Cloudflare tunnel. Hail corporate.

[rendaw]

Same concern here. Also not just hacking the box, but if they figure out your service's ip it's the same as all your other stuff. Would ipv6 help this? Each device gets a different ip so there shouldn't be correlation, but could people make assumptions about ipv6 prefixes to discover other hosts on your network?

Is separate physical hosts a real improvement in security? It seems like a real air gap vs relying on linux hardening. Lots of raspberry pis (something cheaper now?) vs one larger home server hosting multiple services.

My consumer router has a dmz mode, but I'm not sure how far I can trust it. I guess it's a good thing nobody uses any of the stuff I host.

[Gigachad]

That's just the reality of it. You're self hosted box will never be as secure as something hosted by Google where they have teams of people working full time on securing every single layer of the stack right down to finding bugs in the CPUs that their servers run on.

[XCSme]

Is it though? The more complex a setup, the more of an attack surface. Even stuff like social engineering, tricking their support into giving access to your server is a possibility.

YouTube channels get hacked so often, even from technical people like Linus Tech Tips.