I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has “–net host”, although the containers can access host services because they have the option “–map-guest-addr” set, so I don’t know if this is any safer then “–net host”.

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don’t think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don’t really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

  • satanmat@lemmy.world
    link
    fedilink
    English
    arrow-up
    25
    ·
    17 hours ago

    The single best thing you can do security wise, is to NOT have any personal data on a web facing server.

    Separate the data

    Rereading it does look like you are doing the things right; so just audit what is on the public side. - your calendar and tasks- cool

    Your photo and docs, do those need to be on there?

    they are not accessible on the WAN

    If they are on a server that is publicly accessible, please move them to a different location

    Otherwise you sound like your doing well

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 hours ago

      Your photo and docs

      At least in my case, it’s really handy to share photos with other family members. But certainly you don’t need all of them available on the same public service.

      • miau@lemmy.sdf.orgOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 hours ago

        Thats a good point. Maybe I can get away with just temporary file sharing. So when someone wants something I can upload it to the server and send a link. I bet even nextcloud could do that.

        Still way less scary then having everything on the server all the time

    • miau@lemmy.sdf.orgOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      17 hours ago

      That was a great answer, thank you so much!

      Yes I didnt even notice the family photos and docs dont need to be on that same server. Initially I just put them there to act as a local file share. But you are absolutely right, moving them from the public server is the best thing I can do to protect them.

      I will look into setting up a second server for the private stuff that is not publicluly accessible

      • Lyricism6055@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        16 hours ago

        If this server is publicly accessible and gets pwned, they can use it as a jump box for your internal devices.

        • miau@lemmy.sdf.orgOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          14 hours ago

          Thats a good point, I hadnt thought about it before. I like the possibility of sharing these files in my intranet but I suppose you are right. Maybe I could use openwrt to split two networks, one for public stuff only, but my knowledge of networking is quite limited.

          • Lyricism6055@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 hours ago

            Yeah what you’re talking about is a DMZ, it still won’t help a ton if you don’t have strict firewall controls inside your network too.

            I just use wireguard with firewall rules to restrict to just my server with my docker containers on it and my DNS