Self-Hosting like it's 2025

I love the idea of self-hosting, especially since I keep a number of very tiny websites/projects going at any given time, so resources would not really be too much of an issue for me.

What stops me is security. I simply do not know enough about securing a self-hosted site on real hardware in my home and despite actively continuing to learn, it seems like the more I learn about it, the more questions I have. My identity is fairly public at this point, so if I say the wrong thing to the wrong person on HN or whatever, do I need to worry about someone much smarter than me setting up camp on my home network and ruining my life? That may sound really stupid to many of you, but this is the type of anxiety that stops the under-informed from trying stuff like this and turning to services like Akamai/Linode or DO that make things fairly painless in terms of setup, monitoring and protection.

That said, I'm 110% open to reading/watching any resources people have that help teach newbies how to protect their assets when self-hosting.

A VPS with a software firewall is more than enough.

Block port 22, secure SSH with certificates only. Allow port 443 and configure your web server as a reverse proxy with a private backend.

You don't need an IDS, you don't need a WAF and you don't need Cloudflare.

Unless you become the next Facebook that's when you start to become concerned about security.

I agree with this: I personally don't need tutorials for hosting stuff, rather tutorials about securing it properly.

I'm less worried about SSH access then I am abotya vulnerability in some front-end web service though.

I've contented myself using TLS client certs on my family's Android phones (which do not work at all on iOS for something like Home Assistant).

> A VPS with a software firewall is more than enough.

So you don't self-host at home, right?

I have been considering setting up a physical DMZ at home, with two routers (each with its own firewall), such that my LAN stays unmodified and my server can run between both routers. Then it feels like it would be similar to having a VPS in terms of security, maybe?

I colocate four servers in two DCs all running FreeBSD with PF. My main host is running a jail that hosts a bHyve VM

With four jails, each running their own bHyve VMs they run another FreeBSD OS allowing me to host jails for different services. Email, web and game servers.

I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly. So I use bridges, I have two bridges an outer and inner.

Services requiring outbound internet access are tapped to the outer bridge which are throttled and if required can then load balance between and the inner bridge which is under control of deny all, allow some. To my own set of home IPs.

The outer bridge cannot contact services in the inner but the inner can contact the outer but can only host internally.

This all done with PF within each jail as each jail provides you with its own vnet adapter which can be applied to a bridge.

If you wish to learn further that is what you work up too But for the personal user who wishes self-host and to have internet presence a firewall is just fine.

You should encrypt and backup your assets regularly. We recently published a tutorial on how to to do so using B2 and Infisical so that your private key doesn't live on the server: https://infisical.com/blog/self-hosting-infisical-homelab

I'm right there with you, except at times I have thrown caution to the wind and made my sites available.

My current setup is to rent a cheap $5/month VPS running nginx. I then reverse ssh from my home to the vps, with each app on a different port. It works great until my electric goes out and comes back on the apps become unavailable. I haven't gotten the restart script to work 100% of the time.

But, I'd love to hear thoughts on security of reverse SSH from those that know.

> A VPS with a software firewall is more than enough.

You want VPS-provider firewall. Docker's going to punch holes through your software firewall.

Maybe try running your services in docker, I don't know how difficult that would be to implement for you, but if you run it in containers you can get it to start up after an outage pretty reliably.

Could you give an example of a guide that helped you self host a system or service by telling you how to do the security? One that shows what information would be missing from a regular setup tutorial?

I'm a security consultant so this is not a problem I have. To me it seems very straightforward and like most things are secure by default (with the exceptions being notorious enough that I'd know of it), so I'm interested in the other perspective

Yeah, that is a good idea and as I have been doing a little bit of studying Kubernetes I thought about that too (overkill for sure).

I do something similar with my home server, but with a WireGuard split tunnel. Much easier to set up and keep active all the time (i.e., on my phone).

Nginx handles proxying and TLSing all HTTP traffic. It also enforces access rules: my services can only be reached from my home subnet or VPN subnet. Everywhere else gets a 403.

Don't expose anything to the Internet. Use a tunneling tool (Tailscale et al) or VPN

A few days after a remark on hn, while the thread was still active, I received a mysterious package I didn't order from a weird drop shipping service where the original sender is unknown and undiscoverable to you the recipient. It didn't contain anything bad just a single surgical mask (during covid, common valueless item basically). The message was just that they could find my home address. It was a stupid message since I obviously do not hide my identity on hn. But it means you're not wrong to be careful, both in general, and on hn in particular.

Take a look at sandstorm.org - its set of apps is fairly limited compared to the docker based options but it goes incredibly far wrt security. It was designed by the now head of Cloudflare Workers and pitched as a selfhosting platform for medical and other highly regulated industries. There's still nothing else quite like it

Isn't 95% of it just blocking every port except the service you want to expose, and then making sure everything is up to date and the service is built in a secure way.

WAF's etc just hide the fact the code in your service is full of holes.

Hmm, my first guess would have been that you have been a target of "brushing" [1]. In a Reddit thread from 2020 [2], multiple people mention that they received surgical masks they did not order.

[1] https://www.bbb.org/article/news-releases/20509-amazon-brush... [2] https://www.reddit.com/r/tulsa/comments/hpe8s1/just_got_a_su...

If you need a middle ground between docker and k8s, you might have a look at nomad. Definitely a learning curve, and I find the docs lacking, but easier to set up and maintain than k8s.

I think they want to host public websites.

I suppose also no public IP on your home connection?

Because since my new provider only provides cg-nat, I've been using a cheap server, but actually having the server at home would be nice.

Interesting! I never heard of that.

The package came from a US company in Texas not China. Not directly, the mask could have been made anywhere, but the package did not contain any other mail labels like when you get something from China. And never happened before, never happened again, and was literally only a single mask.

Still, seems to fit anyway because the brushing descriptions do vary in the details a little. My example still fits.

Or maybe it still was the hn guy and this just the method they used because they knew about it.

Anyway thank you.

I agree - I always wonder should I go overkill and put everything in its own VM for separation? Is it ok to just use containers?

If using Podman, should I use rootless containers (which IMO suck because you can't do macvlan so the container won't easily get its own IP on my home network)? Is it ok to just use rootful Podman with an idmapped user running without root privileges inside the container and drop all unneccessary capabilities? Should I set up another POSIX user before, such that breaking out of the container would in the end just yield access to an otherwise unused UID on the host?

If using systemd-nspawn, do all the above concerns about rootful / rootless hold? Is it a problem that one needs to run systemd-nspawn itself with root? The manpage itself mentions "Like all other systemd-nspawn features, this is not a security feature and provides protection against accidental destructive operations only.", so should I trust nspawn in general?

Or am I just being paranoid and everything should just be running YOLO-style with UID 1000 without any separation?

All of this makes me quite wary about running my paperless-ngx instance with all my important data next to my Vaultwarden with all of my passwords next to any Torrent clients or anything else with unencrypted open ports on the internet. Also keeping everything updated seems to be a full time job by itself.

You'll have a hard time hosting websites/projects meant for the public to view, if you don't allow public internet traffic :)

> pitched as a selfhosting platform for medical and other highly regulated industries

From first hearing about Sandstorm since the first open beta 10 years ago (https://news.ycombinator.com/item?id=10147774) and reading about it on/off since then, this is first time I hear anyone pitching it for "medical and other highly regulated industries". Where exactly does this come from?

> There's still nothing else quite like it

Plenty of other similar self-hosted platforms, YunoHost is probably the closest, most mature and most feature-packed alternative to Sandstorm, at least as far as I know,.

This is very interesting! Have you considered writing a blog post explaining that kind of setup? I would love that! In the meantime, thanks a lot for the insights, that's a good starting point!

> I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly.

Could you elaborate on that? Specifically in my case I would have a perimeter router to which I would connect both my server and the inner router. My LAN would stay behind the inner router, so my understanding is that it still strictly has the same security as when my inner router was connected to the ISP; I just add a layer with the perimeter router.

Then the perimeter router opens the server (probably just chosen ports) to the public Internet, so that the server is reachable.

Wouldn't that mean that my host is protected correctly?

There's nothing else like its security model - YunoHost has a similar user-facing experience. (Better IMO).

I might have overstated the medical field- but they did pitch it as a product for enterprises with security requirements: "Sandstorm’s users included (and may still include – there’s no way for us to tell) companies, newspapers, educational institutions, research laboratories, and even government agencies. " (https://sandstorm.io/news/2024-01-14-move-to-sandstorm-org)

I haven't seen such a guide, unfortunately :-).

I consider hosting a system or service trivial ("just run the service and open its port to the public Internet"). Then the first question is: what if the service gets compromised (that seems like the most likely attack vector, right?)? Probably it should be sandboxed. Maybe in a container (not running as root inside the container, because I understand it makes it a lot easier to escape), better if it is in a VM (using Xen maybe?). What about jails?

Now say the services are running in VMs, and the "VM manager" (I don't know how to call it, I mean e.g. dom0 for Xen) is only accessible from my own IP (ideally over a VPN if it's running in a VPS, or just through the LAN if running at home?), the next question is: what happens if one of the services gets compromised? I assume the attacker can then compromise the VM, so now what are the risks for me? I probably should never ssh as a user and then login as root from there, because if it's compromised the attacker can probably read my password? Say I only ever login through ssh, either as root directly or as the user (but never promoting myself to root from the user), what could be vectors that would allow an attacker to compromise my host machine?

I listened to a lot of "Darknet Diaries" episodes, and the pentesters always say "I got in, and then moved laterally". So I'm super scared about that: if I run a service exposed to the Internet, I assume it may get compromised someday (though I'll do my best to protect it and keep it up-to-date). But then when it gets compromised, how can I prevent those "lateral moves"? I have no idea, as in "I don't know what I don't know".

All that to say, I would love to find a book or blog posts that explain those things. Tutorials I see usually teach how to run a service in docker and don't really talk about security.

It's always scary, no matter how innocuous. I'm glad it did not escalate into something else for you!

Without getting too deep into it, there are some things I know how to do with computers that I probably shouldn't, so my thought is this; if I, a random idiot who just happened to learn a few things, can do X, then someone smarter than me who learned how to attack a target in an organized way probably has methods that I cannot even conceive of, can do it easier, and possibly without me even knowing. It's this weird vacillation between paranoia and prudence.

For me, it's really about acknowledging what I know I don't know. I do some free courses, muck about with security puzzles, etc, even try my own experiments on my own machines, but the more I learn, the more I realize I don't know. I suppose that's the draw! The problem is when you learn these things in an unstructured way, it's hard to piece it all together and feel certain that you have covered all your vulnerable spots.

I'm not the person you asked, but if some security researcher such as yourself needs a million-dollar service to sell, I'll offer that I would pay decent money for a webapp or something where I can list all the things in my stack or project and it spits out a list of known and possible vulnerabilities that I should check default configs for, update, patch, etc.

My thinking is this; if I'm willing to fork over dollars to a VPS hosting service for peace-of-mind, then paying for a service that helps me understand what I'm doing when it comes to self-hosting should also be on the table as an alternative.

That said, I have no idea how viable of a business model that would be, or if it would even be able to be developed and upkept with reliable info. Or, maybe it already exists, but on an enterprise level that I cannot afford for some dumb little blogs.

What's the 5% that's not blocking ports for services you want to expose?

Ensuring your infra is built in a secure way is as important as ensuring your service is built in a secure way.

Correct, there is no public IP address exposed to my home.

Right now my "servers" are Dell micro i5s. I've have used RPI 3 and 4 in the past. My initial foray into self-hosting were actual servers. Too hot, too noisy and too expensive to run continuously for my needs, but I did learn a lot. I still do even with the micros and pis.

We've been running production traffic via Cloudflare Tunnels for over a year with no problems. Ngrok and tailscale both run similar services, too.

There is also https://pinggy.io which is even simpler to use. Just paste one command like ssh -p 443 -R0:localhost:8000 qr@a.pinggy.io

Part of it is that you may get (D)DoSed and then your ISP may be any amount of pissed at you for taking on significant ingress traffic on a residential network.

That sounds pretty reasonable.

While home routers tend to set their rules as outbound allow and inbound denied. My DC just provides me with a network cable to the big pond of data.

How I secure that for my home network is using my personal rig with multiple network ports.

One port acts as a public bridge. And the 3rd and 4th network ports then are then assigned to the private bridges

The 2nd port then sits in a middle bridge where it communicates to both the public and private bridge.

The CVE database is free. Or maybe NVD are the ones publishing this mapping of CVEs to software packages and versions, but either way, a site like cvedetails will give you this information. I'm less sure where you could subscribe to these for all software thingies you run (maybe cvedetails already has that)

This is a good concern to have. I feel like the emotional currency around self-hosting on tech forums makes too many people excited to talk about self-hosting and forget about practical things like security. Remember: defense in layers.

Things I do:

* Make sure domain WHOIS does not point to me in any way, even if that means using some silly product like "WHOIS GUARD"

* Lock down any and all SSH access. Preferably only allow key-based authentication.

* Secure the communication substrate. For me this means running a Zerotier network which all dependent services listen on. I also try to use Unix sockets for any services colocated on the same operating system and restrict the service to only listen on sockets in a directory specifically accessible by the service.

* Try to control the permission surface of any service as much as possible. Containers can be a bit heavyweight for self-hosting but make this easy. There's alternatively like bubblewrap and firejail as well.

* Make use of services like fail2ban which can automate some of the hunting of bad actors for you.

* Consider hosting a listener for external traffic outside of your infra. For redundancy, load-shedding, and for security I have an external VPS that runs haproxy before routing over Zerotier to my home infrastructure. I enforce rate limits and fail2ban at the VPS so that bad actors get stopped upstream and use none of my home compute or bandwidth. (I also am setting up some redundant caches that live on the VPS so if my home network is down, one of my services can failover.)

* Segregate data into separate databases and make sure services only have access to databases that they need. With Postgres this is really simple with virtual databases being tied to different logins. I have some services that prune databases that run in a cron-like way (but using snooze instead) and they have no outbound net access.

If your network layer is secure and your services follow least-privilege, then you should be fairly in the clear.

Why not just have nginx listen on the Wireguard interface itself? That way you drop all traffic coming inbound from sources not on your Wireguard network and you don't even have to send packets in response nor let external actors know you have a listener on that port.

Beside fail2ban, I also recommend endlessh. Simple yet beautiful piece of software.

I think a normal patched Debian/Ubuntu with ufw rule for port 80/443 and 22, ssh certificate auth only and a simple nginx configuration is still very safe.

Of course there can be security issue on your webserver as well, but for a simple site this setup is learnable in an hour or two and you are ready to go.

You can hook that up on a pie attached to your router or pay a bit to have it hosted somewhere. Domain is perhaps 2-5$ and an TLS cert you can get from Let's Encrypt.

No idea how to put everything into a container that it makes sense. I just run this quite often on small hosted machines elsewhere. I just install everything manually because it takes 5 minutes if you have done it before.

But you don't have as many security issues as well :)

This is why I never leave my house too :)

Since my setup is for personal use I just use a VPN. My home router is running OPNsense and this setup wasn't too bad. I also pay my ISP for a static IP address.

https://docs.opnsense.org/manual/how-tos/wireguard-client.ht...

Then on my phone I just flick on the switch and can access all my home services. It's a smidge less convenient, but feels nice and secure.

What do you use for your remote server? Because even a VPS seems kinda overkill, if all it's doing is some redirecting. I guess you could do TLS termination there aswell...