this post was submitted on 01 Dec 2023
35 points (85.7% liked)

Selfhosted

40251 readers
1002 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I recently got a Synology NAS and I am trying to setup Emby. I wanna host a media server however, I wanna be able to access the emby location from anywhere and let say my mom access it. Just I wanna keep it secure. Should I use cloudflare?

you are viewing a single comment's thread
view the rest of the comments
[–] SmokingKinoko@lemmy.moe 7 points 11 months ago (2 children)

I just worried about attacks on my router in case someone gets ahold of the link. Im learning all this security stuff. I actually helped my friend with his lemmy instance and got it running.

I just know next to nothing about security...

Give me something to try and get working I'll pick it up, but I don't even know where to start with this stuff. I read something the other day about using cloudflare to connect to a VPS and then direct that to my nas or something.

I have 2 VPS services and 1 already hosts my jellyfin instance but i was gonna try out emby however, I wanna share my library with family like I share my Jellyfin with them. Just the VPS I run my jellyfin on handles all the security stuff. shrugs

[–] scrubbles@poptalk.scrubbles.tech 8 points 11 months ago* (last edited 11 months ago) (1 children)

Absolutely a fair reason to be nervous. For this just follow the rules of minimum access. Only open the ports you need to open, and make sure they only point to the item you want to expose. That will take care of 99% of use cases. Most hacks you see happening right now with home labs are because someone did something pretty obvious - like exposing their router/firewall UI to the open internet (instead of it only being accessible to the local network), same with their data servers.

If you have a good network you can even restrict which IPs are allowed to connect through those ports, but remember if your mom's IP changes or you're sitting in a hotel then you're essentially blocking yourself out (without a VPN or something).

Finally, and I would save this for a little later, you can move your Emby/external services to an alternate VLAN. VLANs are virtual-lans, they are a block of IPs that have firewall rules in between each of them. So you could do rules like "Internal clients can talk to Emby, but Emby cannot talk to Internal Clients". This can be a daunting thing and will take a lot of trial and error, not to mention probably revamping your entire network - so I'd hold off for now.

[–] cryptix@discuss.tchncs.de 1 points 11 months ago* (last edited 11 months ago)

I wanted to do vlan , but that would mean no more super fast local access

[–] JustEnoughDucks@feddit.nl 8 points 11 months ago

To reduce that, there are a few things you can do.

Option 1:

  • Only open port 443 and run everything through a reverse proxy like traefik. You can open other ports ad you need them (game server for example)

  • Run crowdsec to get rid of 95% of bad actors

  • Whitelist IPs that you know traffic will be coming from and drop everything else

Option 2:

  • wireguard VPN and just VPN into your home network to access your server

Option 3:

  • Run tailscale

  • run fail2ban