this post was submitted on 13 Jul 2023
6 points (100.0% liked)
Self Hosted - Self-hosting your services.
11406 readers
3 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules
- No harassment
- crossposts from c/Open Source & c/docker & related may be allowed, depending on context
- Video Promoting is allowed if is within the topic.
- No spamming.
- Stay friendly.
- Follow the lemmy.ml instance rules.
- Tag your post. (Read under)
Important
Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!
- Lemmy doesn't have tags yet, so mark it with [Question], [Help], [Project], [Other], [Promoting] or other you may think is appropriate.
Cross-posting
- !everything_git@lemmy.ml is allowed!
- !docker@lemmy.ml is allowed!
- !portainer@lemmy.ml is allowed!
- !fediverse@lemmy.ml is allowed if topic has to do with selfhosting.
- !selfhosted@lemmy.ml is allowed!
If you see a rule-breaker please DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Setup cloudflare, I believe the free tier includes ddos protection. Then setup your ingress to only allow cloudflare IPs, either with iptables or even better if your vps supports it with a network policy.
I appreciate the tip but as a privacy minded self-hoster I try to avoid companies like cloudflare. Surely there has to be a way to diy DDoS protection?
A 2 gigabit event isn't big enough to be considered a real attack, a service like cloudflare can sink a 2 terrabit attack every day of the week.
Building a DDoS protection service ( that isn't just black holing traffic ) starts with having enough bandwidth to throw away the attack volume plus keep your desired traffic working and have a bit of overhead to work your mitigation strategies.
What this means is to DIY a useful service you start by buying a couple of terrabits of bandwith in 'small' chunks of a hundred gigabits or so in most peering locations around the globe and then you build a proxy layer like cloudflare on top of it with a team of smart dudes to automate outsmarting the bad guys.
I don't like cloudflare either, but the barriers to entry in this industry are epic.
Can you go IPv6 only with dynamic dns + recycling ip every day? My raspberry pi doesn't get bot traffic. I have 22, 80, 443 and a few other ports open on public ipv6 address.
@brownmustardminion pfsense + incoming geo IP control (allow only from certain regions)
I imagine that’s essentially what I’ve accomplished with Traefik already. The question I have is if Geoblocking does much to mitigate a DDoS. I know for sure it’s at least useful to block third world scammers and bots from running hacking scripts against my server.
@brownmustardminion DDoS usually involves attacks from multiple geographical locations simultaneously. You will eliminate a large threat surface by restricting which countries are allowed for incoming. Of course this won't prevent targeted attacks from hackers who know you and want revenge and can setup bots in a single location but these are rare. Most attempts are by script kiddies.