I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has “–net host”, although the containers can access host services because they have the option “–map-guest-addr” set, so I don’t know if this is any safer then “–net host”.

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don’t think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don’t really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

  • miau@lemmy.sdf.orgOP
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 month ago

    That was a great answer, thank you so much!

    Yes I didnt even notice the family photos and docs dont need to be on that same server. Initially I just put them there to act as a local file share. But you are absolutely right, moving them from the public server is the best thing I can do to protect them.

    I will look into setting up a second server for the private stuff that is not publicluly accessible

    • Lyricism6055@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 month ago

      If this server is publicly accessible and gets pwned, they can use it as a jump box for your internal devices.

      • miau@lemmy.sdf.orgOP
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 month ago

        Thats a good point, I hadnt thought about it before. I like the possibility of sharing these files in my intranet but I suppose you are right. Maybe I could use openwrt to split two networks, one for public stuff only, but my knowledge of networking is quite limited.

        • Lyricism6055@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          Yeah what you’re talking about is a DMZ, it still won’t help a ton if you don’t have strict firewall controls inside your network too.

          I just use wireguard with firewall rules to restrict to just my server with my docker containers on it and my DNS