Self-Hosting & Home Server Security Tips

Please feel free to add any other security tips and tricks here in the comment section!

DBTechYT

Mostly agree but there are a few things I would add:
- setup 2fa or at least ssh keys for accessing the server
- disable root access for ssh
- use docker user namespace, so if a container gets compromised, there is no way to escalate privileges, escape the container, etc
- Bind docker ports to 127.0.0.1 and set up a reverse proxy with ssl encryption with a docker network
- and last but not least MONITOR. Monitor everything, setup alerts for ssh logins, alerts for high cpu usage, alerts for everything unusual (I like Zabbix for that).

jonhz

Found your videos a few weeks ago. You do an excellent job explaining things. This is a very useful video!

snoman

Great clear summary... Lots of material, quick. Great starting point before learning about each in depth.

MediMizerSoftware

Great video, thanks DB. The Cloudflare firewall rules and nginx allow lists were 2 things I had not been taking advantage of.

GlenBland

Always good tutorials, useful and simple to apply. My server on raspberry pi is running perfectly. Thank you so much

wallflower_es

Thanks as always, I literally woke up and did these changes on my server.

saikouma

THANK YOU!! This is the best explanation of how nginx secures a home lab that i have seen online!

mrsharps

Ive been looking for a way to safely host a server from my home thanks bud

_siliconfox_

I do actually have one security tip to add, on the cloudflare firewall page you can block access to admin panels or services, for example if you don't want anyone modifying your publically accessible wordpress you can make a whitelist with your IP is not X and URI path contains "/wp-admin" then block meaning only you can access anything that contains /wp-admin in the address.

vgamesx

I just wanted to say what everyone else is. I loved the video! I think security is something noobs tend to neglect because they're overwhelmed by who cool it all is.

But security is easiest to adopt when it's learned early. (like not using any random Docker image you come across)

Potentially a new type of video series to add to your repertoire.

Master.Billy.Quizboy

Great video. Nginx reverse proxy is awesome. Could you please create a how to for vpn access?

elliotwilliams

Hey dbtech. In your raspberry pi series you touched upon fail2ban even installing the plugin on OMV. Is there any plans to show us how to.use this alongside docker. NGinxPM and letsencrypt.

thejerseyshaun

A small question, what should be write ip in access list? Like ip / subnet? when i wrote in here my public adress only i could not access a few hours later. I saw cloudflare page and ssl error. Should we add also cloıdflare ip for allow?

okanerdem

Great list. You could add video chapters and maybe cut some fluff from the presentation, but overall I found it informative.

A few times I zoned out and checked back in occasionally, asking “is he done talking about his cousin yet?” lol.

majorgear

Hello DB! Thanks for your valuable content! I am using your tips creating a Cloudflare Tunnel to access my remote applications remotely. I am just thinking if is it better put a ngnix proxy between the tunnel and the access of each application. The effort to maintain the tunnel will be the same in terms of add a new service to public web, however i am thinking that could be more secure (and more slow since they have an additional server to jump to the application). What fo you think? Is the effort is valid to keep this extra security layer? Thanks, Greetings from Brasil!

issacohasi

Thanks great video. I am new to docker and OMV both I was wondering if you could do a video on the pros and cons of having multiply File Systems (Config, Data, etc) as opposed to just one big (All files) RAID.

AI-Tech-Stack

How were you able to configure your sites with access lists to read your actual ip and not the proxied ip that cloudflare has you connecting as? When I put an access list on a site that only allows my public ip, I am still unable to access the site because of the cloudflare proxy making my ip appear as one of cloudflares many ips.

I guess I am also asking if you proxy the sites which you have an access list on. How are you getting nginx pm to recognize your IP when you try to connect to your site behind cloudflare proxies?

ScheveninGaming

Hello everyone ;)
I need some help with the UFW firewall.
-> Setup: My home server is behind the router's firewall (open ports 80, 443). RaspianPi, Nginx Proxy Manager (Docker Container +SSL), Website (Wordpress, Wordpress_db also in Container).
When I activate the Linux UFW firewall, nginx asks for user and password, but then ufw blocks the website (504 Gateway Timeout). I cant´t fix this problem because Docker is using Bridges and his own Networks. My thoughts were redirect problems, or nginx can't use the wordpress network.
Or do I not need an additional firewall in this case?
I would be very grateful for any tip. Thanks in advance

MrEXXS

Nice, I was already doing all of this, I don't need to touch anything, although I was unaware of 16:32 and how access lists worked, so thanks pointing that out.

vgamesx