Self-Hosting & Home Server Security Tips

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys happy wednesday hope everybody is doing well out there today uh you know we spend a lot of time on here talking about installing applications on your docker server uh and a lot of times we want those applications to be accessible from the internet and of course that sketches out a lot of people and it should anytime you expose ports on your your modem and your router you're kind of inviting people into your home network um so today what we're going to do is kind of talk about what i feel are some best practices to help mitigate some of those issues now i want to be clear i am in no way a network professional i'm not a security professional um these are just some things that i have read up on and have done some research on and and have just kind of put together as my own personal notes for things that should help you uh keep the bad guys out okay so let's just kind of dive into this i've got some notes down here that we're just gonna kind of read through a little bit uh and and just kind of talk about some very high level stuff at first and then we'll dive in to some more uh in-depth stuff a little later but let's just kind of talk about the notes first in fact you might i'll just drag this up here like this and again this isn't meant to be an all-inclusive definitely going to work all of the time bad guys are bad guys they'll find their way in if they really really want in but this is just a good roadblock to just say hey i'm not a complete idiot move along so right up here at the top only open the ports you need if you're using a reverse proxy on your server to give access to your your applications you should only need to open ports 80 and 443 80 is just your standard unencrypted traffic 443 is your ssl or https traffic those are the only two you should need to open by default unless you're using a vpn but we will talk about that a little later and that's actually why i've got ports 1194 listed here as well that's a standard vpn port that being said you should probably not use 1194 because that's the standard vpn port if you set up a vpn on your server you should probably change it to some other random port using a third-party service like cloudflare for dns services to manage all of your dns that sort of thing but they also offer ip protection when they when you can actually run a proxy on their service that will hide your home server's ip address your home ip address the whole bit if you uh basically if you get this set up correctly um in fact you know what i'll just i'll just show you so i have uh i have video.dbtech.site set up this is not my home ip address i just spun up a digitalocean node or droplet i guess they call them and this is the ip address to get there so what i'm going to do is oops i'm not going to open that i'm going to open up a command prompt like so and what i'm going to do is i'm going to ping uh video.db tech.site and here you can see that is the ip address of my server over on digitalocean uh in fact what i will do uh let's see if i've got it down here nope i'll just open it up digitalocean sign in video.dbtech.site in fact if i open this up here is that ip address uh that just kind of shows complete transparency that's the ip address so if i we can see that that's pinging just fine it's got kind of some bad ping times but what do you do right so now let's go over back over here uh to here let's uh turn dns on and we'll click save so now this is being proxied now we will have to give this a couple of minutes in order for this to fully take effect but what we can do is we can actually just ping that with a t um and then hopefully here in a moment uh this should change uh if it doesn't the other thing we can do is ipconfig slash plush dns there we go so now we're getting video.dbtech.site now we're getting a completely different ip address and this is still if i had a site set up on digitalocean this would still give us access to that site but cloudflare is actually obfuscating or proxying our ip address through one of theirs but if somebody does try to attack that ip address cloudflare will actually mitigate that through their ddos protection and that's all part of their free plan now like i said uh in my note like it shows my notes here they offer free ssls there's no reason not to take advantage of that i've been using their free ssls for like eight years i think now uh on all kinds of different websites and home servers and uh things that i've deployed literally all over the world and uh i've been using them and they work great they're free and it's just been a really great experience for as long as i've been using them they've also got a on their free plan they've also got the option for additional firewall rules so if we come over here and we actually go over to their firewall managed rules they've got some stuff in place just by default this is very good stuff to start with but i've actually gone in and added some of my own firewall rules there was an issue a while back with uh there was a specific malware that was going around affecting uh open media vault and docker that sort of thing so i just blocked that ip address uh just to be sure uh it's never come up in the last well since i've put it up there i've never seen it come up here so i've just got it there as an additional precautionary measure so i've also got the option of known bots that's anything that's going to possibly index your site crawl your site your applications whatever you want to call them and oftentimes uh those bots maybe google bots or yahoo bots that are just indexing the internet to put it up on on the the search engines other bots are not doing great things some of them are nefarious so they've actually got a block known bots uh filter that you can turn on by default i've done that and here you can see in the last 24 hours it has stopped 220 bots from trying to talk to my home server also these 33 those are basically everything that isn't the united states that has tried to get access to my server now i understand that that basically blocking the rest of the world other than my country it's not a perfect solution but i'm not in germany i'm not in russia i'm not in france i'm not in australia so those countries don't need to have access to my server now i know that they could use a vpn to bypass that to make themselves available in the u.s but it's just kind of a good extra measure to block any country that you're not in or not giving access to explicitly so i think that pretty much covers uh cloudflare keep in mind that i've only ever used their free plans i've been using their free plans for a long time and they've always worked really well in fact i've actually considered jumping up to one of their paid plans just to try to help pay them back for all of the time that they have saved me uh just with their really great security in place by default i just haven't managed to do that yet um but just understand that you can do all of this on their free plans so that kind of covers uh cloudflare in my opinion if you've got questions about cloudflare definitely let me know in the comment section down below i'm a big advocate of cloudflare and i encourage everybody to use it so on a fairly regular basis i get people asking me the question of how do i make nginx proxy manager available to the internet or how do i make open media vaults available to the internet so i can manage those things when i'm not at home the short answer is don't don't forward your omb port don't forward your nginx proxy port if somebody gets a hold of those ports and gains access access to your system there's not much you can do about it um so you want to make sure that those are only available from inside your network and of course the work around to that is to set up uh a vpn on your server uh that grants access to your network uh and of course i've got uh videos i've got a video explaining that i'm not actually gonna link to it now that i think about it i tried to get it set up and it wasn't working correctly um so i will have a link to a tutorial that i used yesterday uh to set up a vpn on a raspberry pi um at least that's what i used uh but i will link that in the description down below so that you can check that out uh so only make your your open media vault your ssh your docker gear pertainer available inside your network uh with the caveat being unless you're connected via a vpn next i want to i want to skip into next proxy manager for just a moment we'll come back to that but uh like it says the these next few things here keep your your open media vault up to date make sure that you're checking for updates regularly keep your server up to date ssh intuit do a pseudo apt-get or pseudo update or pseudo app update pseudo app upgrade do that regularly make sure all of your stuff stays up to date if you don't people are going to find exploits to get in so always make sure that all of your patches and all your updates are done regularly that's super super important same thing goes with your uh docker containers um i i don't encourage using something like watch tower uh to do to manage all of your updates but set up watchtower in in uh notify only mode so that uh when there is an update you'll get an email uh then you can go in and manually do the updates if you want to or if you want to be lazy feel free to use um watchtower or orobose i think that's how it's pronounced i don't know uh there are uh containers out there applications out there that will automatically update all of your containers uh if you if you want to be lazy and do that go for it just understand that it could cause problems if an update goes poorly but again keep everything up to date all of the time uh your your server your open media vault uh your docker containers keep all of that up to date uh to help mitigate any kind of potential security leak also when we're talking about docker containers only use docker containers from trusted sources if you go to hub.docker.com some of the the the repositories there like linux server.io is verified um a lot of the the big corporations are verified uh if you if you see an application that you want it's got say a million downloads or 500 000 downloads or something it's probably safe if you see something that's got only a couple of downloads be wary of that just make sure that any of the containers you deploy are from known reputable sources also just because the source is reputable uh make sure that that it's a new version or that it's been updated fairly recently i see a lot of uh you know when i look for a certain application i might see 10 versions of it from you know 10 different developers um and and some of those haven't been updated in two or three or five years don't use those try to find something that's been updated recently and from a trusted source just to make sure you're not getting into anything that might compromise your server this next one um should go without saying um make sure you've got backups of your data like my server is currently set up to run a backup uh three days a week uh locally and store all of that locally and then one day a week it backs all of that up to the cloud uh where i've always that way i've always got multiple backups of my stuff um i should probably do more than that i should probably run a manual backup and store it somewhere else give it to a friend whatever but you should always have multiple backups of your server just in case uh and this is something i can't stress enough set up a backup a local backup as well as a remote backup just to make sure if something goes wrong your house runs down whatever you've still got access to your data somewhere all right this last section here not last thing we're going to talk about but the last section uh in this little area here is don't give access to just anyone and if you have to give somebody access give them the bare minimum that they need to get by uh the reality is uh the the the general public not real tech savvy uh in the grand scheme of things now your friends your family may be different than that um just because if if you're watching this you're probably a fairly tech savvy person and we tend to uh kind of congregate with other tech savvy people uh but for instance i've given my my cousin who's not tech savvy access to my server but only mb he can only have access to my media server and nothing else uh he can only log in and watch videos he can't add videos he can't delete videos he can't he can't do anything other than watch videos and that's just a precautionary measure to make sure that nothing goes wrong even accidentally and that's just kind of a best practice thing only give people access to the things they need access to and nothing more than that don't give your buddy ssh access to your server don't give him root access to your server set up a separate account give him the access he needs and nothing more okay so the last thing i want to talk about here when we're giving access or when we're creating applications and putting or giving them access to the internet or giving internet access to them i suppose would be the better way to say this use a reverse proxy uh in the past i've talked about uh traffic traffic is great for certain things uh though in my opinion it's not as user friendly as nginx proxy manager and that's kind of the next section that i want to focus on here this is a big one that i've been using for several months now and i've had a lot of really good success with it um so let's kind of just jump over here and uh take a look at my nginx proxy manager server so we're logged in here and if we just kind of look we've got our dashboard our hosts that's where our applications are going to be is in hosts our access list this is actually going to be a big part of your security uh that i think is a great way that they've implemented this ssl certificates uh when you set up an application in uh nginx proxy manager you have the option to set up a free let's encrypt certificate for your server to add an additional layer of security uh to encrypt all of the traffic uh going out and well and coming in for that matter but it encrypts all of the traffic on your server to keep prying eyes from looking at what's going on uh users i highly encourage you if you're going to have multiple people on here set up everybody as their own separate user chances are you're the guy or the person administrating your server you don't need additional users most likely audit log here you can just see everything going on uh updated proxy host deleted proxy hosts things like that unfortunately there's not a lot of detailed information as far as you know who's tried to access from where i actually reached out to the developer and he doesn't have any plans to add that which is kind of a bummer but um just know that you can kind of see some of the stuff going on uh with regards to your nginx proxy manager under audit log and then we've got settings uh and this is just uh if you don't if somebody tries to go here and nothing is there what do you want it to do it just takes them to a congratulations page by default and that's probably just fine so let's take a look at hosts so here you can see that i've got uh four applications up and running um and you can see the ip address of the server that they're on along with the port there you can see that they are running a let's encrypt uh ssl for the additional security you can see that there's the access is access list only and the status is online meaning everything's up and running things should be working just fine so let's go ahead and let's jump over to image. or img.dbtech.site that works just fine without issue there i tell you what though let's open this in a new browser like so let's drag this up here there's firefox everything here should work just fine but that's because i'm on my home ip address now if i were to come over here and uh connect and just get myself a new ip address then if i refresh now i have to enter a password so let's go ahead and cancel that let's just go ahead and refresh in order to get here i have to put in a username and a password so if i do that now i have access so that's what the access list does uh i've currently got it set up uh to meet one of two criteria so if let me close that there we go so we come back over to here and we'll take a look at our access list uh so let me change this i'll go to edit access list um is either publicly accessible where it means just anybody can access it as long as they know the the url or we've got an access list one user one rule so let's go ahead and take a look at that so we come over here to access list we can see that we've got authorization as one user the access is one rule if it satisfies any of those rules you can do that and four proxy hosts are using this access list so let's take a look at this access list and of course i could name this whatever but i just like access lists so i used it and here you can say you know satisfy any otherwise it's satisfy all uh so if we come over here to authorization i put in a username and a password that's what i had to enter just a moment ago to get access to my server or to that that website uh the other so if if they enter that that's one way to get in past the security the other one is to allow my home ip address so if i'm connected to my home network either via being home or via the vpn that i've got set up that gives me access to my home network as long as i'm connected from my home ip address then i'm able to access the sites on my server that are publicly accessible or or yeah accessible to the internet rather if i'm not home i'll have to put in a username and password or i'll have to vpn into my home network to get an ip address from home in order to connect okay guys there you go that kind of covers everything i wanted to say in this video uh hopefully it made sense i'm actually gonna have to go back through and edit this video now and uh try to put it together in such a way that it makes sense to me and hopefully make sense to you uh but if it did and i did a good job of the edit and it made sense do me a favor give the video a thumbs up would help me out a bunch uh if you're interested in uh home server stuff and that kind of thing i definitely get subscribed i've got a whole new series coming out here very soon about setting up some stuff on a raspberry pi for kind of a little mini home server uh i just got confirmation back from a couple couple of companies last night that are going to sponsor some stuff uh so i'm waiting on hardware to come from them but definitely get subscribed if you're interested in home server stuff with docker and portainer and openmedia vault all that good stuff uh but i think with all that being said i'm gonna go ahead and wrap things up here as always thanks for your time i always appreciate your support and i'll talk to you the next video [Music] you

Info

Channel: DB Tech

Views: 14,768

Rating: undefined out of 5

Keywords: DB Tech, DBTech, OpenMediaVault Tutorial, secure home server, secure my home server, docker security, home server security, home server remote access, home server best practices, home server security tipe, self-hosting security, self-hosting security tips, how to secure my home server, how to secure my docker, cloudflare for home server, secure home server with cloudflare, nginxproxymanager home server security, nginx proxy manager home server security, home server SSL

Id: tJMQz0TKTvM

Channel Id: undefined

Length: 19min 16sec (1156 seconds)

Published: Wed Oct 07 2020