I read the other day about a protocol called Gemini.

https://geminiprotocol.net/

It might fit what you are looking for, if you goal is just to publish interesting content, or get the experience learning something new and different, but not for you if you want to monetize.

It is an alternate to the internet. You can self host there, also, but they have built Gemini to be unable to support applications, bots, malware etc… it goes much deeper, if you are curious, you should read, I am fascinated.

Only expose services internally then use a secure VPN to access your services, this makes your network no more vulnerable in practice than not self hosting. If you need/want to expose something to the internet, make sure you setup your network right. Use a DMZ to separate that service and leverage something like CrowdSec along with good passwords, antivirus, and keep things patched.

The ‘immediate attacks’ ppl mention is just static background noise. Server / scripts that run trying to find misconfigured, highly out to date or exploitable endpoints/servers/software.

Once you update your software, set up basic brute force protection and maybe regional blocking, you do not have to worry about this kind of attack.

Much more scary are so called 0-Day attacks.

1. No one will waste an expensive exploit on you
2. It sometimes can happen that 0-Days that get public get widly exploited and take long time to get closed like for example log4shell was. Here is work necessary to inform yourself and disable things accorsing to what is patched and what not.

As i already said, no one will waste time on you, there are so much easier targets out there that do not follow those basic rules or actually valuable targets.

There is obviously more that you can do, like hiding everything behind a VPN or advanced thread detections. Also choosing the kind of software you want to run is relevant.

It’s mostly automated exploit finders looking for low hanging fruit. fail2ban and up to date software is your friend.

Outbound firewall and SMAC protections.

If you compromise my server you’ll struggle to phone home without manual intervention, which is good enough to stop botnets.

If you don’t need stuff publicly accessible, and just need it accessible to you, then set up a small computer on the network as an ssh Bastion host/jump server, put it on a VPN connection with a VPN provider that offers dyndns, forward the ssh port through the dyndns, and then off network, reverse proxy in with socks5 via key based ssh -D to gain access to all the services available inside the LAN.

Been doing this for a few years, works great and no one is getting in without my ssh key.

Just use tailscale and don’t forward any ports and you’ll be fine

Dealing with this constant threat seems like it would be frightening enough as a full-time job, but this would only be a hobby project for me.

Hobbyist/Enthusiast here. Most of the bots are autonomous. They are deployed and constantly sniff for any little cracks and crevasses in the armor. Don’t be fooled tho, they are quite sophisticated. I see some have mentioned fail2ban, and Crowdsec. Both are very capable. UFW (uncomplicated firewall) is also very good. When I set up UFW and my external, standalone pfsense firewall, the way I go about it is to block everything, then step by step, open only the ports that absolutely have to be opened.

Tailscale is also a great overlay vpn along with netbird. Tailscale can also be used as an emergency entry to your server should you lock yourself out, so it has multiple uses. Additionally, since you say you have technical knowledge, Cloudflare Tunnel/Zero Trust pretty much wraps everything up. I know there are a lot of selfhosters dead set against Cloudflare, so that’s a decision you have to make. Cloudflare does not require you to open ports or fiddle with NAT. You set it up on your server, Cloudflare takes care of the rest. If you wanted additional protection, you could install Tailscale as an overlay on the server. The caveat to using Cloudflare Tunnel/Zero Trust is that you have to have a domain name that allows you to enter and use Cloudflare’s name servers for obvious reasons. You can get a domain anywhere although Cloudflare will sell you one if you wish to go that route.

Since I am the only user of my server, I’ve taken the additional step of implementing the hosts.allow/hosts.deny TCP Wrapper ACL files (although you can have multiple users with hosts.allow/hosts.deny). If you go this route, make sure you do the hosts.allow, so that when you edit the hosts.deny you’ll enter ALL : ALL for a default‑deny stance. For my purposes, multiple users cause multiple issues, so I don’t share. :p

Probably should go without saying you should use ssh keys when administrating the server via ssh.

ETA: Hope everyone is safe in the US with this frigid weather.

ETA2: If you decide to go with Cloudflare Tunnel/Zero Trust, I have some notes that seems to have helped several people and I would be happy to share them.

Yes…yet another comment. LOL Something you should do from the very start is take notes of everything you do on the server. I use Notepad++ for the rough draft while I’m setting something up. Copy/paste, write out commands, notations, what this or that does. Take prolific notes. I really can’t stress that enough. That way, if you need to back out of something, or if the wheels fall off, you can go right back to your notes. Don’t be lulled into the idea that you will be able to remember every last keystroke you’ve made. That rarely happens. Take notes.

When I have successfully deployed whatever I’m working on, then I go back, take my notes, clean them up, and place them in Obsidian and make backups of them.

Yikes, lot’s of bad advice in this thread.

My advice: Go develop an actual threat model and find and implement mitigations to the threats you’ve identified.

If you can’t do that, that’s totally okay; it’s a skill that takes a lot of time and effort to learn and is well-compensated in the industry.

You will need to pay for it. Either through an individual assessment by someone who knows what they’re doing, managed hosting services where the hoster is contractually liable and has implemented such measures, by risking becoming part of a botnet or by not hosting in a world-public manner.

My recommendations:

• Pay for proper managed hosting for every part of your system that you are not capable of securing yourself. This is a general rule that even experienced people follow by i.e. renting a VPS rather than exposing their own physical HW. There are multiple grades to this such as SaaS, PaaS and IaaS.
• Research, evalue and implement low-hanging fruit measures that massively reduce the attack surface. One such measure would be to not host in a manner that is accessible to the entire world and instead pay for managed authenticated access that is limited to select people (i.e. VPN such as Tailscale)
• git gud

• routine patching
• siem log aggregation
• proper alerting metrics and notifications
• routine virus scanning
• proper network segregation between your NATd network and your personal network
• firewall firewall firewall
• expose your applications to the internet through a WAF, never directly

if you can do all these things properly, then there shouldn’t be too much danger in selfhosting your apps publicly.

Damn dawg, reading this made me not wanna self host my own instance. I was considering it.

By default your OS is secure. You only have to think about what you expose and how can it be broken in. Disable SSH password authentication. Don’t run software that is provided by hobbyists who have no enough security expertise (i. e. random github projects with 1 or 2 contributors and any software that recommends install method curl <something> | sudo bash). Read how to harden the services you run, if it is not described in the documentation — avoid such services. Ensure that services you installed are not running under root. Better use containerized software, but don’t run anything as root even inside containers. Whenever possible, prefer software from your distro official repos because maintainers likely take care about safe setup even if upstream developers don’t. Automate installing security updates at the day they released.

What doesn’t help:

• Security through obscurity. Changing SSH port etc. Anyone can scan open ports and find where SSH is listening.
• Antivirus. It is simply unable to detect each of numerous malicious scripts that appears every day. It just eats your system resources.The best it can do is to detect that your host is compromised, but not prevent this. It is not security, just marketing.
• Making different rules for public internet and DMZ. Consider there’s no DMZ. Assume that your host can be accessed by crackers from anywhere.

deleted by creator

That’s the point. It taught me things that I wouldn’t learn if it weren’t for that scared feeling. I agree that some sensitive things are better off my server.

You should start small and keep only things you want to be public, and services under basic logins. First logins, maybe admin admin but slowly you will get better and also place fail2ban and crowdsec. Once you have enough confidence and years of service on your belt. You can trust it with sensitive files under heavy guard.