I know I've been going on and on about my home server. If you ever decide to host your own server, you should know that it's not something you do once and leave forever. You've got to continuously monitor it for security issues, patch vulnerabilities in your services, and make sure bots don't compromise access or take your whole server down. This month's log is all about doing the basics and a bit more to secure your home server.
Basic security measures
Like I explained in my infrastructure topic, my setup doesn't involve open ports on my home server and router. This reduces the attack footprint quite a lot. I use a VPS to reverse proxy into my home server, so the outside world knows only of my VPS and not the actual server. I don't have any of my services running on the VPS either. They run as Docker containers in my home server. This ensures that even if my VPS is compromised, I can simply shut it down to keep my services safe.
I've disabled password login on the VPS and only use SSH using a private key. Nobody can SSH into my server because only I possess the private key. Ensure this is stored safely. Next, I changed the default SSH port from 22 to another random port because bots try to brute force well-known ports. I've also disabled root access to my VPS server and have a special user to perform sudo operations. These are pretty basic and everyone using a VPS should try and do them. For some additional security, you can check out the next section.
Slightly advanced measures
I did mention earlier about using Crowdsec. It's an open-source security solution that helps mitigate common attacks through crowdsourced lists. If it sees a pattern of attack that's already on its list, it blocks the IP performing it. Blocking can be configured by giving them a captcha, limiting access, or completely banning them. This can also be set for a specific duration through configuration. Since I didn't want anyone else accessing my home server, I set up a ban that exponentially increases in duration each time they try to attack the server. The ban duration starts at 768 hours (32 days).
Even after installing Crowdsec, I was getting a lot of notifications on my email from bots trying to take my server down. The blocking and ban duration did help but the number of unique bots coming from different countries were huge. This is when I decided to implement another layer of protection, geoblocking.
Geoblocking is exactly what the name suggests, blocking based on location. It can work in whitelist or blacklist modes, meaning it can allow every country except a few or block every country except a few. I wanted to block every country except where I'm accessing my server from, so I went ahead and did that.
I used geoip-shell which is an open-source project by friendly-bits. It's pretty easy to install and configure and I did it on my VPS.
Download the latest release using curl:
curl -L "$(curl -s https://api.github.com/repos/friendly-bits/geoip-shell/releases | grep -m1 -o 'https://api.github.com/repos/friendly-bits/geoip-shell/tarball/[^"]*')" > geoip-shell.tar.gz
Extract it using:
tar -zxvf geoip-shell.tar.gz
Once extracted, cd into the directory and run:
sh geoip-shell-install.sh
This will run you through the interactive setup and you can configure it to work in whitelist mode. For allowing your specific country, you must know the 2-letter country code. For instance, it's IN for India, DE for Germany, JP for Japan, and so on. Once the setup was complete and geoblocking was on, my notifications suddenly went silent. No more traffic from any other country except mine. I even tested it using a VPN and I couldn't access my own server.
Doing all this doesn't ensure complete protection against threats. But it's a step in the right direction. Ultimately, the goal of self-hosting isn’t just to set up a service and forget it, but to build an environment that is resilient and reliable. While no system is ever impenetrable, these layers of security significantly raise the bar for entry, making your server a much less attractive target for automated scripts.