Hello most excellent Selfhosted community,
I’m very new to this and am confused about how vulnerable my server and/or home network is with my current setup.
I just got a basic server up and running on a machine with proxmox and a DAS for 10tb of storage. I’ve got two LXCs running for a docker deployed arr stack and jellyfin+jellyseer stack. The proxmox server is connected to a router attached to a fiber ONT. Everything is accessed over the home LAN network and that’s it.
Everything is working correctly and my containers are all talking to each other correctly via ip addresses (gluetun network on the arr stack container). I’ve been reading up on reverse proxies and tailscale to connect to the server from outside my LAN network, and it’s mostly gone over my head, but it did make me concerned about my network security.
Is my current set up secure, assuming strong passwords were used for everything? I think it is for my current uses - but I could use a sanity check, I’m tired. I’m open to any suggestions or advice.
I own a domain that I don’t use for anything, so it would be cool to get reverse proxy working, but my attempts so far have failed and I learned I’m behind a double NAT (ONT and router) - and attempts to bypass that by setting the ONT into bridge mode have also failed. I don’t really need to access anything from outside my home network right now - but I would like to in the future.
Network security is a complicated beast to manage. If general public can access your services over the internet, that’s a threat you need to mitigate. Strong passwords is a good start on that, but it doesn’t take into account if there’s a flaw or bug on the service you’re running. Also if you have external users, they might reuse their passwords and leak for those might cause a threat too, specially if there’s privilege escalation bugs on the software you’re running.
And so on, it’s a too wide field to cover in a short comment here, but when you’re building your stuff, and what is maybe the most disticntive feature on a good professional between a not so good one, is to think ahead and prepare for every imaginable scenario where something goes wrong. Every time you add a way to access your network, no matter how minuscle, think what happens if that way gets compromised and what it might mean on the very worst case.
Maybe you want to add another access point to your network since your terrace isn’t properly covered. That’s nice to have, but now everyone around 100 meters around your house/apartment might have access to your stuff if they can break your wifi security. Maybe you set up a reverse proxy or tailscale on the stack. Now the whole internet can at least probe your stuff and try to find vulnerabilities, try to use stolen credentials and even try to social engineer their way into your stuff. Or maybe you made an mistake and left something open that shouldn’t be.
I’m not trying to scare you off out of anything. Go ahead and play with your stuff, break things, learn how to fix them, have fun while doing it. Just remember to think ahead about worst case scenarios, weigh their risks, think ahead and then go on. Learn about DNAT, reverse proxies, VPN and network layers and whatever you come across on your adventure but keep in mind that shit will hit the fan at some point. And learn to accept that, learn from your mistakes and do better next time.