I have been running a large server 24/7 for about a month and a half now. It is only for myself and the fam, no one else has access to it at all.
I’m trying to learn about selfhosting and whatnot, but it’s…a lot. Is there anything I need to do specifically besides configuring it correctly in order to protect it and myself. I hear people talking about putting stuff in dockers, putting things behind a reverse proxy, a VPN, etc.
I do currently have it running behind ProtonVPN but that’s it. Do I need to be doing more?
Thanks in advance for any help!
I expose mine, have crowdsec and Authelia in front and it’s been fine so far, don’t expose things like ssh to the internet and change the port for it and you’ll probably be fine.
Is the server exposed to the internet at all? ie, Did you open a port on your firewall to allow inbound connections? If not, then nothing should be exposed to the internet and you should have no problem. Proton is also a vpn not a firewall and really doesn’t offer much protection against attacks. It basically just muddies the water on the origin of your Internet traffic.
Hobbyist (not a security expert here) but using a VPN that’s trusted should be fine. Your security hinges on proton’s reputation but from what I know they’re pretty good. If I’m wrong please correct me in the comments and I will edit this comment.
I’ve used the services of at least 9 or 10 VPNs over the years and I not once been as satisfied with any of them as I am with Proton.
Don’t expose it over the Internet, local network access only, is the easiest but also limits you to accessing it only at home.
You could use something like tail scale or setup your own wireguard server to keep it still local-ish but still allow trusted people access.
Reverse proxy with auth of some kind if you plan to expose it to the Internet.
Thanks for clarifying. No, it is only meant to be used as a centralized entertainment system here in my home. None of us care about taking said media with us when we leave the house.
Reverse proxy/SOCKS5 works well in my experience.
I have a little computer on my network which runs my VPN - then on that computer I have ssh listening on a non-standard port that my VPN’s dyndns links up to a human readable hostname with a different port.
If I want to watch stuff off-network I just have to ssh -D to that hostname and port and then configure a browser to use the connection as a SOCKS5 proxy, then jellyfin and anything else I’m hosting works as if locally through that browser.
The ssh is key based as well, not password based - haven’t had any incidents in doing it this way.
