Are small tools safe enough for self-hosting?

I remember during the reveal of the HeartBleed vulnerability that it was brought to the forefront that OpenSSL was maintained by 2 people.

coleshores

To be honest, if you are self-hosting in a closed home network and somebody gains access to exploit many of these vulnerabilities, you probably have way way bigger problems than these vulnerabilities.

randmtv

Tuesday is security day. More security stuff please!

Some projects (like NPM) are so popular that one doesn’t consider checking up on the security track record. Thanks for reminding us.

Just put out my own video on securing a VPS/Linux server - the lazy way for beginners :)

DigitalIndependent

Just like you did videos about configuring Nginx Proxy Manager, now it would be interesting to do one on migrating to Nginx only. And maybe another one to move on to Traefik.

ManelRodero

I’m not sure I understood the advisory correctly but wouldn’t an attacker need to be authenticated to exploit this vulnerability? They used a JSON Web Token for the POST request that delivers the payload. Still bad but not as bad as exposing it to everybody. Also usually I don’t have such admin panels accessible to the open internet anyways (like most people I would hope) so in this case an attacker would need to have access to your home network as well as be authenticated in npm. By the time they are in your home network you probably have other concerns as their access to a docker container.

But the general point made here is still valid

sekanderbast

Love the focus on security with this video. With all the threats and constantly emerging vulnerabilities, it's a moving target and easy to forget the threat is real. Hope to see more videos touching on security.

deeds

i am not sure what the point of the video was.
people who selfhost are probably technical literate enough and (should) know what to expect from FOSS projects.
is it really a surprise that small projects are often maintained by few people in their sparetime? the reason those projects are open source is often so that people can contribute - not that people can just blindly trust and use them.

bubi

Great Video! Maybe im the only one wondering, but what is an alternative to NPM then? Traeffic or is it a similar story?

Keptains

I moved from it few weeks ago, you just made me notice more issues . thx for sharing

joelfankam

Wow thanks Christian!
I am currently using cloudflared tunnel docker on my Synology NAS to connect to a nextcloud and mattermost docker, but I am having issue with SSL, as both nextcloud and mattermost have not certificate.
I will try to use traefik, thanks for the tip!

YOUnoobGER

I really like this vids, security is more important than ever!

Blivius

This especially goes for anything that faces the public internet, if you're using these kind of tools internally the risk is negligible.

tddi

One thing you forgot to mention is that Version 3 of NPM is being worked on now, and that it is a complete rewrite from JavaScript to a completely new Go backend and new JS frontend. This might also make it less likely to work on Version 2 as it will soon, eventually, be outdated. Version 3 has been in development for over two years.

rapjul

A vulnerability in a self hosted project not exposed to the internet is still far less dangerous than say, a python library you don't know the true contents of, or random docker images, etc... Unless the CVE is that the project actively downloads malware or exfiltrates data, you have to just be careful about how you use small projects. Good luck combing through all the libraries most dev ops guys use.

LackofFaithify

This might be another video, but SaaS soluitions also have a similar impact; although, not as bad. I wouldn't say M$ or Google would be in that list, but there are quite a few smaller SaaS companies who are feature driven and not security driven. I've had several run-ins with smaller SaaS (but 'cost-effective') companies who would drag feet, or literally work against you when reporting or pushing for a security fix (even as a paying customer). NPM has somewhat of an excuse because they rely on donations, but it can be frustrating to see a paid solution do this. Also, one 'pro' to consider for self-hosting is you have more freedom to implement mitigations if there's a critical CVE on the loose, with a SaaS, you're at the mercy of the companies willingness to fix it in time.

This helped me reconsider NPM and look at others like Taefik, thank you!

killacups

It all depends on who has supposed to have access.
If you are the only one, it's simpler to leave open only the VPN port and set all services inside to listen only on the tunnel interface, not physical ones.
Some problems are mitigated in that case, even if the software is bugged.

parheliaa

I abandoned NPM. they suddenly introduced a retrocompatibility issue for Arm7. It was never solved, even it was reported by many. It was a nice project. It's a pity

mnieri

been using Caddy for a month and honestly couldn't be happier, it was also easier to configure than NPM if you can believe it!

sidokouki

The problem with NPM is that he has an open source project that he is basically developing on his own. He doesn’t accept many pr and is away months without any notice. I tried to get in contact with him but even after months he doesn’t respond. The team is a one man team.

samtv

Thanks for the great channel.
I'm just starting out with a Linux server (Ubuntu) running off a laptop for my "home lab". If you were to restart with roughly $2000 - $3000, what would you go for? It would mostly be test environments, but could potentially host initial production databases and applications. Could you do a vlog on this, unless the solution is stupidly straight-forward? Thanks.

stevennicholas